ClawHub
Back to skill

Security audit

Evolver 1.17.1

Security checks across malware telemetry and agentic risk

Overview

This is a powerful self-evolving agent skill, but it reaches beyond local prompt analysis by reading broad local agent history, using external EvoMap hub workflows, and enabling automated/background mutation paths.

Install only if you intentionally want an autonomous agent-evolution daemon with access to local agent history and workspace state. Review and disable external hub features, auto-update, auto-publish, loop mode, and rollback behavior unless you explicitly need them; use review/dry-run modes and a clean git working tree. VirusTotal was pending and was not used as the basis for this Review verdict.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (125)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises capabilities that imply environment and network access, but the manifest does not declare corresponding permissions. This weakens operator visibility and policy enforcement, making it easier for a self-evolving skill to access sensitive environment data or communicate externally without explicit approval.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose frames the skill as local runtime analysis and protocol-constrained evolution, but the detected behavior includes extensive remote account registration, task execution, asset exchange, heartbeat maintenance, and publication to external services. This mismatch is dangerous because users may grant trust to a local self-improvement tool without realizing it can exfiltrate data, import untrusted content, or perform external actions on their behalf.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The README states the tool does not edit code automatically, but elsewhere documents self-repair, auto-heal, cleanup, and git emergency repair behaviors that can modify the workspace. This mismatch can mislead operators into granting the skill broader trust or autonomy than intended, increasing the risk of unsafe deployment and unnoticed destructive changes.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
This is the same underlying issue as the prior finding: the FAQ minimizes automation risk while the rest of the README describes autonomous repair-related actions. In a self-evolving agent context, inaccurate safety framing is dangerous because users may rely on the documentation to decide whether the skill can run unattended.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The documented public release and GitHub publishing capabilities materially expand the skill's operational scope beyond local prompt evolution into external distribution. In an autonomous or semi-autonomous agent, this broad capability set raises the risk of accidental data exposure, unauthorized publication, or misuse of repository credentials.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
GitHub release creation and public publishing are context-inappropriate for a self-evolution engine because they introduce outbound, high-impact actions unrelated to the core analytical function. In this skill context, such capabilities increase blast radius: a compromised or misdirected agent could exfiltrate code, publish unwanted artifacts, or abuse release tokens.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
README 公开描述了代码发布、远程仓库推送和 GitHub Release 创建能力,这些功能超出了“分析历史并受限进化”的最小职责边界。对于具备自修改能力的代理来说,加入对外发布链路会显著扩大 blast radius:一旦进化逻辑、环境变量或上游输入被操纵,代理可能将未经充分审查的变更自动发布到公开仓库或发行渠道。

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
The script performs external task-marketplace discovery against evomap.ai, which is materially different from the declared purpose of a self-evolution engine that analyzes runtime history and applies constrained evolution. In an agent skill context, undeclared network functionality can expand the trust boundary, enable remote work acquisition or command intake, and create a covert control/data channel that operators may not expect.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Querying an external task marketplace is unjustified by the stated self-evolution purpose and allows the skill to ingest remote, potentially adversarial work items from a third party. Even though this snippet only lists tasks, in a larger agent ecosystem it can normalize unauthorized external coordination and become a precursor to remote task execution or policy bypass.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
This file makes a hard-coded outbound HTTPS request to evomap.ai and prints the returned asset data, but that behavior does not align with the declared purpose of a self-evolution engine analyzing local runtime history. In an agent skill context, unjustified network egress can enable covert data access patterns, dependency on untrusted remote content, or future expansion into command-and-control style behavior if reused elsewhere.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The code implements remote asset retrieval capability without a clear justification from the skill's stated purpose, increasing the attack surface for unnecessary network interactions. Even though this specific sample only performs a GET, the presence of unexplained fetch logic in an agent skill makes the skill more dangerous because it can normalize hidden external dependencies and expose the runtime to unreviewed remote content.

Description-Behavior Mismatch

High
Confidence
90% confidence
Finding
The file’s behavior materially differs from the stated skill purpose: instead of analyzing runtime history or performing constrained self-evolution, it fetches a hard-coded remote asset and prints the response. This is dangerous because hidden or undocumented remote retrieval in an agent skill expands the trust boundary, can introduce supply-chain or data-exfiltration risks later, and suggests the manifest may be misleading about what the code actually does.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The script makes an outbound HTTPS request to a specific external host for a fixed asset without any clear connection to the declared self-evolution function. In skill ecosystems, unjustified remote fetches are risky because they can be used to pull unreviewed instructions or data, and the mismatch between description and implementation makes the behavior more suspicious.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file stores a large set of promoted genes spanning unrelated domains such as marketing, deployment, backup, JWT, workflow orchestration, and infrastructure, which exceeds the declared purpose of a protocol-constrained self-evolution engine based on runtime history. In an agent skill system, this creates capability drift and effectively broadens the skill into a catch-all activator, increasing the chance of unintended invocation and unsafe privilege expansion.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This promoted gene introduces wellness/franchise marketing behavior, which is unrelated to self-evolution and indicates the promotion pipeline is not enforcing scope boundaries. Because skills are activated by trigger text, unrelated business capabilities can be invoked unexpectedly and cause the agent to perform actions far outside its declared trust model.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The OpenClaw automation/workflow gene expands the skill into general task decomposition, tool invocation, and persistent-memory updates, which are materially broader than runtime-history-driven self-evolution. In a self-evolving agent, this is especially dangerous because broad orchestration capabilities can combine with other promoted genes to form emergent high-impact behavior not intended by operators.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Infrastructure and deployment genes such as docker/container/image/registry are outside the stated purpose of self-evolution from runtime history. Their inclusion broadens the reachable action space of the skill and increases risk of unintended operational changes if triggers fire during ordinary technical conversation.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Backup/restore and disaster-recovery capabilities are operationally sensitive and unrelated to runtime-history-based evolution of agent behavior. Including them in this skill undermines least privilege and could lead to accidental or unauthorized operational workflows being selected under weak trigger matching.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code detaches and self-spawns a replacement background process, creating persistence-like behavior that can outlive the invoking context and bypass expected lifecycle controls. In an agent skill, this is risky because it can consume resources indefinitely, evade supervision, and make shutdown or auditing harder than a normal foreground task.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file is supposed to support a self-evolution engine, but instead contains a ranked catalog of unrelated implementation capsules such as WebSocket backoff, SQL DataLoader usage, Docker optimization, and asyncio throttling. In an agentic system, this kind of capability drift can cause the skill to surface or propagate arbitrary code patterns outside its declared scope, undermining policy boundaries and enabling unreviewed behaviors to be promoted as if they were part of constrained evolution.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Maintaining and promoting generic engineering capsules inside a self-evolution skill increases the attack surface because the engine can accumulate reusable implementation knowledge unrelated to its declared function. In context, that is more dangerous than a normal documentation repository because a self-evolving agent may treat these promoted capsules as trusted building blocks, allowing scope expansion, policy bypass by indirection, or unsafe autonomous reuse.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script performs outbound registration to a third-party service and persists a node identity, but this behavior is not reflected in the stated skill purpose or clearly disclosed to the operator. Hidden or under-documented external enrollment is dangerous because it creates an unexpected trust relationship and enables remote tracking or later coupling to external infrastructure.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code contacts evomap.ai to register the local node and supports account-binding via a claim code, which goes beyond a locally scoped self-evolution function. This is risky because it can silently attach the agent environment to an external service, enabling inventorying, tracking, or future control-plane dependencies that the user did not expect.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
When run with --protocol and --persist, this script transmits hello/publish messages over an external transport without any authentication, destination validation, or interactive confirmation in this file. Because the exported assets can include capsules, genes, and optionally evolution events, this creates a real data-exfiltration and unintended agent-to-agent publication path beyond purely local self-evolution.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The imports show built-in support for agent-to-agent export and protocol publication, which expands the skill from local runtime analysis into external sharing. In the context of a self-evolution engine, that increases risk because internal behavior artifacts and improvement data may leave the local trust boundary without strong justification or safeguards visible here.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
index.js:158

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/build_public.js:169

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/generate_history.js:17

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/publish_public.js:13

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/recover_loop.js:19

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/suggest_version.js:27

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/evolve.js:274

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/gep/solidify.js:63

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/ops/cleanup.js:46

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/ops/health_check.js:20

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/ops/lifecycle.js:27

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/ops/self_repair.js:17

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/ops/skills_monitor.js:96

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/gep/a2aProtocol.js:35

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/gep/hubSearch.js:12

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/gep/memoryGraphAdapter.js:77

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/gep/taskReceiver.js:8