ClawHub

Evolver (Fixed)

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real self-evolution tool, but it combines automatic code changes, remote task intake, telemetry, credential use, and forced updates with inconsistent disclosure.

Install only in a disposable or tightly controlled workspace, with review mode enabled, Hub/worker features disabled unless needed, no broad GitHub token in the environment, and auto-update/auto-issue settings explicitly set. Review the .env values and do not run loop mode until you are comfortable with remote tasking, telemetry, source mutation, and rollback behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (88)

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The README documents network-facing capabilities that go beyond a local prompt generator: skill download/publish, automatic GitHub issue filing, and a worker pool that accepts remote tasks. In a skill with network and shell permissions, this materially expands the trust boundary and creates a realistic path for remote content ingestion and task-driven execution, even if presented as optional features.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The documentation claims the tool does not execute arbitrary shell commands, but elsewhere admits command execution for gene validation and recommends shell-wrapped runner usage. Even if validation is constrained, this is a misleading safety claim that can cause operators to overtrust the skill and enable risky modes without understanding that shell execution still occurs.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
Describing the system as only a prompt generator understates that it can also run validation commands and participate in a network worker pool that executes tasks from external sources. This mismatch is dangerous because users may deploy it into sensitive environments assuming it is non-executing, while the actual behavior includes task acceptance and command execution surfaces.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The README documents automatic GitHub issue submission that can send redacted environment details and logs to an external repository. In a self-evolving agent with network and shell permissions, automatic external reporting increases the risk of unintended data exfiltration, especially if redaction is incomplete or logs contain sensitive repository/runtime context.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The README presents the tool as primarily local/offline, but also documents worker mode that accepts network-assigned tasks and publishes assets to a hub. In this skill context, where the agent has both network and shell permissions and is explicitly designed to evolve behavior, remote task intake materially raises the attack surface and can enable untrusted external influence over local execution flows.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest presents the skill as a self-evolution engine, but the CLI also implements a remote marketplace download feature that can retrieve and write external content into the local filesystem. That capability expansion is security-relevant because it introduces supply-chain and remote content ingestion risk that users would not reasonably infer from the stated purpose.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code reads local .env configuration at startup and later relies on hub secrets, which is broader than the stated self-evolution purpose and occurs automatically for all invocations. In context, this is more dangerous because the same program has network functionality, so locally sourced secrets can be silently used in outbound requests.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This script does more than local export: when `--persist` is used with protocol output, it actively sends `hello` and `publish` messages over a transport. In a skill with `network` permission, that creates a real data egress path for internal assets, which is dangerous if invoked without strong destination controls, consent, or auditing.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The capability to publish A2A assets over a transport is broader than the stated self-evolution purpose and expands the attack surface beyond local analysis. In this context, runtime history, genes, capsules, and optionally evolution events may leave the local environment, making the skill more dangerous because it has both shell and network permissions.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This script automates cloning a public repository, replacing its contents, pushing commits/tags, creating GitHub releases, and publishing to an external registry. Those capabilities are materially broader than a runtime-history-based self-evolution engine and, when present in a skill with network and shell permissions, create a supply-chain distribution path that could exfiltrate or publicly ship artifacts without strong operator safeguards.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code performs repository publication, tag creation, GitHub release creation, and dual ClawHub publication, none of which are justified by the stated self-evolution purpose. In context, this expands the blast radius from local analysis to external code distribution, enabling accidental or malicious release of modified content through trusted channels.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill contains an auto-update routine that discovers a local 'clawhub' binary and runs forced updates for installed skills ('clawhub update ... --force'). In a self-evolving agent with shell and network permissions, this expands scope from analyzing history to modifying its own code supply chain, enabling unreviewed code changes and persistence through remote package updates.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code executes 'process.env.INTEGRATION_STATUS_CMD' via execSync, which is direct command execution from environment-controlled input. Any attacker who can influence the environment, wrapper config, or launch context can achieve arbitrary shell execution under the agent's privileges.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The code is configured to read session logs from '~/.openclaw/agents/.../sessions' and optionally an external transcript directory. In combination with later prompt construction, this broad collection of user and agent conversations increases exposure of sensitive data well beyond what is necessary for a single evolution task.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
Comments claim external candidates are only staged and never executed directly, but the code actively fetches external Hub tasks, auto-claims them, injects their signals, and prioritizes them in the evolution pipeline. This creates a trust-boundary violation where remote ecosystem input can steer local code changes without explicit review.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This module does more than define a local/pluggable protocol transport: it automatically registers with a remote hub and maintains recurring heartbeats that transmit operational state. In a skill with network and shell permissions, undisclosed persistent outbound telemetry materially expands the trust boundary and can expose system activity, node presence, and work metadata to an external service.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The code derives a stable node identity from device-specific inputs and persists it locally, effectively creating a durable fingerprint even when no explicit node ID is configured. That enables cross-run and potentially cross-context tracking of the host, which is sensitive behavior not obviously necessary from the skill description and not transparently disclosed.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The hello message includes an environment fingerprint, and the heartbeat path also conditionally transmits fingerprint metadata to the hub. Sending environment-derived metadata to a remote endpoint can reveal host characteristics useful for tracking, profiling, or targeting, and this is especially risky in a self-evolving agent with broad permissions.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The module obtains, caches, and persists a long-lived node secret used for hub authentication in the user's home directory. Persistent credential storage increases the blast radius of local compromise and extends remote access capability beyond the narrow protocol-definition role implied by the skill description.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This module creates a stable, persistent device identifier by reading OS- and hardware-derived attributes such as machine ID, container ID, hostname, and MAC addresses, then stores the result across runs. That enables long-term host/container tracking beyond the stated skill purpose of analyzing runtime history, and expands the data collection surface in a way that can support correlation, profiling, or unintended exfiltration if the identifier is later transmitted over the network.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code gathers hardware and network identity attributes including /etc/machine-id, container identifiers, hostname, and MAC addresses to derive a stable fingerprint. Even though values are hashed, the result is still a durable pseudonymous identifier that can be used to track a host over time, which is unnecessary and privacy-invasive unless the feature is explicitly justified and consented to.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code collects a persistent device identifier together with multiple host-level attributes such as hashed hostname, hashed working directory, OS details, architecture, Node version, region, and container state, then embeds them into artifacts for later comparison. Even though some fields are hashed or truncated, they still enable stable cross-run correlation and environment tracking, which is broader than is typically required for a self-evolution feature and creates privacy and inventorying risk if stored or transmitted.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This code actively inspects host user inactivity by executing platform-specific shell commands and, on Windows, writing and running a temporary PowerShell script with ExecutionPolicy Bypass. In a self-evolution skill, this creates unnecessary host-observation capability and subprocess execution surface that can expose user-behavior metadata and normalize privileged local probing beyond the stated core function.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This module adds autonomous outbound behavior by creating GitHub issues containing operational data, which materially expands the skill's capability beyond local runtime-history analysis. In a skill with network and shell permissions, silent self-reporting increases the risk of unintended data disclosure and remote interaction without explicit operator approval.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code automatically harvests GitHub credentials from common environment variables and uses them for outbound publication. Even though it does not exfiltrate the token itself, consuming ambient credentials for autonomous actions violates least privilege and can let the agent act on behalf of the environment owner without clear consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal