Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Evoagentx
v1.0.1EvoAgentX - Self-evolving AI agents framework integration
⭐ 0· 647·0 current·0 all-time
byIvan Cetta@nantes
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md claims to integrate with EvoAgentX and even lists a pip package and a Windows python_path, but the registry metadata shows no install spec and there are no code files. The instructions rely on a PowerShell script (evoagentx.ps1) that is not included — this mismatch (claiming to install/run something but not providing the installer or clear install steps) is incoherent. The hard-coded Windows python path is user-specific and may not apply to other environments.
Instruction Scope
Runtime instructions tell the agent/user to run .\evoagentx.ps1 -Action <...> and to set $env:OPENAI_API_KEY, but no such script is present and the skill registry did not declare any required environment variables. The instructions also refer to installing/checking the framework without giving the actual commands or safe provenance for any downloads — leaving the agent/user to run unspecified install steps.
Install Mechanism
There is no install specification in the registry; the SKILL.md's embedded metadata references a pip dependency (evoagentx) but provides no automated install step. That makes installation ambiguous: the skill expects Python 3.12 and a package but does not instruct how or from where the package will be installed. Lack of an explicit, verifiable install mechanism is a risk and a coherence issue, though not proof of malicious intent.
Credentials
The visible instructions require an OpenAI API key (and mention other providers) but the skill's declared required env vars list is empty. Requesting API keys without declaring them in the registry and without describing minimal needed scopes is disproportionate. The skill could require additional model provider keys (Claude, DeepSeek, Qwen) but gives no guidance on which are mandatory.
Persistence & Privilege
The skill does not request persistent privileges (always is false) and does not declare changes to other skills or system-wide settings. It does, however, reference a user-specific python path; this is odd but not a privilege escalation.
What to consider before installing
Do not run the commands in SKILL.md or set API keys globally until you confirm provenance. Specific actions to take before installing: 1) Ask the publisher for the missing files (evoagentx.ps1 or a clear install script) and a trustworthy source for the 'evoagentx' pip package (PyPI link or GitHub release). 2) Verify the GitHub/org site and that the pip package matches the repo and is maintained. 3) Never paste your OpenAI (or other) secret into a file or command you haven't verified — prefer injecting keys into a controlled environment (a dedicated virtualenv/VM or ephemeral container) and use least-privilege API keys. 4) If you must test, do so in an isolated sandbox or VM and inspect any scripts before running. Providing an explicit install spec, included scripts, and declared env vars would raise confidence; absence of those items is why this skill is flagged as suspicious.Like a lobster shell, security has layers — review code before you run it.
latestvk978tecytyj5j6gbks6n78vjvs81nr7a
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🧬 Clawdis
Binspython3.12