Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Evolver (Fixed)

v1.41.0

A self-evolution engine for AI agents. Analyzes runtime history to identify improvements and applies protocol-constrained evolution.

⭐ 0· 56·0 current·0 all-time

by@oliver-smith-2048·fork of @autogame-17/evolver (1.39.0)

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

Name and description (self-evolution engine) align with required binaries (node, git), network hosts (evomap.ai, api.github.com) and env vars (A2A_NODE_ID, optional hub/graph tokens). However there are minor mismatches: SKILL.md lists extra allowed shell commands (ps/pgrep/df) that are not in the required-bins list, and the package includes a full codebase even though the registry metadata flagged 'No install spec — instruction-only'. These are explainable but should be noted.

Instruction Scope

SKILL.md and README repeatedly assert that Evolver is a prompt generator that 'does NOT automatically edit your source code', yet capabilities and the codebase allow writing to workspace/src/** and a solidify flow that can validate and (under some conditions) apply changes. The skill also emits 'sessions_spawn(...)' stdout directives (which may be executed by the host runtime), and the allow/deny lists in SKILL.md contain contradictory entries (allow git/node/npm but deny entries that include the same names with '!' prefixes). The solidify path executes validation commands (node/npm/npx) with programmatic checks; mistakes or gaps there could permit dangerous commands. Overall the runtime instructions give the agent significant discretion to read memory, modify assets and (potentially) source files — stronger, clearer constraints and a review-before-apply default are warranted.

✓

Install Mechanism

No remote download/extract install spec is present; the package ships code and expects node/npm/git installed. No high-risk installer URLs or archive extraction were found in the manifest. This is lower risk from an install-source perspective.

ℹ

Credentials

The only required env var is A2A_NODE_ID, which fits the stated hub integration purpose. Optional vars (A2A_NODE_SECRET, GITHUB_TOKEN, MEMORY_GRAPH_REMOTE_KEY, etc.) are reasonable given network features (heartbeats, releases, memory graph). No unrelated cloud credentials (AWS, GCP) are requested. Still: providing A2A_NODE_SECRET or GITHUB_TOKEN grants network privileges (node authentication, issue/release creation) — users should only set those if they trust the hub and code.

Persistence & Privilege

always:false (good), and autonomous invocation is allowed (platform default). The material concern is the skill's ability to run in loop mode, write to workspace/memory and workspace/src when solidifying, and to run git/npm/node commands. Although EVOLVE_ALLOW_SELF_MODIFY defaults to 'false' and the README claims 'protected source files', tests and code imply core-source protection is partial (some paths considered non-critical), meaning the skill could end up modifying code. Combined with loop/daemon behavior and the ability to accept hub tasks (WORKER_ENABLED), this creates a non-trivial blast radius if misconfigured or if the validation logic has gaps.

Scan Findings in Context

[pre_scan_injection] expected: Static pre-scan reported no injection signals. This doesn't prove safety; many risky behaviors are in plain JS logic (solidify, git ops, a2a protocol) rather than obfuscated patterns.

What to consider before installing

This skill is feature-rich and largely coherent with its stated purpose, but it can read your memory/logs, run git/node/npm, write to workspace/memory and (under solidify) to workspace/src — and it can run continuously in loop mode. Before installing or enabling it on a trusted agent: - Do not set A2A_NODE_SECRET or GITHUB_TOKEN unless you trust the EvoMap hub and have reviewed the a2aProtocol/solidify code paths. - Keep EVOLVE_ALLOW_SELF_MODIFY unset or explicitly false. If you ever enable self-modify, require manual review (--review) and test in an isolated environment. - Prefer running once with --review and inspect any proposed changes. Do not run --loop in production until you’ve validated behavior. - Audit src/gep/solidify.js and src/gep/gitOps.js to confirm which files are protected and exactly what validation commands are permitted (the tests show some paths are allowed that the README claims are protected). - If you plan to connect to the hub or enable WORKER_ENABLED, run the skill in an isolated, disposable environment (container or VM) first, and monitor network traffic and git commits. - If you are not comfortable auditing the code, treat this as higher-risk: run only locally without hub credentials, or avoid installing. What would change this assessment: explicit, enforced protections that prevent any modifications to core source files (documented and enforced in code), a strictly read-only default mode that cannot write to workspace/src without an unambiguous, manual opt-in, and removal of contradictory allow/deny entries in SKILL.md. If those were present and verifiable, verdict would move toward benign.

✗

index.js:242