Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Autonomous Learning Cycle
v1.0.0实现每17分钟自主执行任务、提取模式、评估自信、自动创建技能并生成每日/每周反思与新学习方向的闭环系统。
⭐ 0· 97·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (autonomous 17-minute learning loop that extracts patterns, evaluates confidence and auto-creates skills) aligns with the included engine files: evolution, extractor, confidence, reflection, learning-direction and skill-creator. However the SKILL metadata claimed to be 'instruction-only' but the package includes ~8 engine scripts that will read/write workspace files and create skills — this mismatch is noteworthy.
Instruction Scope
Runtime instructions instruct you to run init/setup-cron/start scripts and CLI engine commands. The code reads and writes many workspace paths (skills/, memory/, tasks/, instincts/, .learnings/, etc.), appends patterns/lessons, writes evolution logs, and (per learning-direction) executes shell commands (execSync 'npx skills find', and other npx/CLI usage). It also auto-adds tasks and (via skill-creator) can create skill files. These actions go beyond passive analysis and allow modification of local files and automated network-invoked tooling — so the runtime scope is broad and file-system mutating.
Install Mechanism
There is no formal install spec (no package manager download) and the README suggests copying/cloning the repo. The code itself invokes external tooling via npx (which may fetch packages from npm at runtime). No direct downloads from arbitrary URLs are present in the reviewed snippets, but npx/child_process use implies possible network fetches at runtime.
Credentials
The skill declares no required environment variables or credentials, which matches the files shown. Internally it relies on HOME or OPENCLAW_WORKSPACE to locate and modify the workspace. While it doesn't request secrets, it will access many local files (task queues, memory, skill directories). Documentation mentions ClawHub tokens for publishing, but the engines do not require credentials in the examined files.
Persistence & Privilege
always:false (good) but the skill includes setup-cron.js to register cron jobs (*/17 * * * *) and auto-create skills/files in the workspace. That gives the skill ongoing scheduled execution and the ability to change code/assets on disk (self-modifying or self-extending behavior). Autonomous invocation combined with file writes and cron registration raises the blast radius and warrants caution.
What to consider before installing
What to check before installing: 1) Review the 'skill-creator', 'setup-cron.js' and any start/init scripts to see exactly what files they create or modify. 2) Run the code in an isolated sandbox or disposable workspace (not your main OpenClaw workspace) to observe behavior. 3) Inspect any code that calls child_process/execSync or uses 'npx' — these can fetch and run remote packages. 4) Backup your ~/.jvs/.openclaw/workspace before running; don't run on a machine with sensitive environment/configs. 5) Consider raising the confidence threshold (configs/confidence-config.json) and disabling automated skill publication until you audit auto-created skill content. 6) If you need assurance, ask the author for a minimal example that only reads data (no writes or cron) and for a clear description of what new skill files will contain and where they're written.engines/learning-direction.js:212
Shell command execution detected (child_process).
setup-cron.js:100
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk9756qkq7p93dgmz9pjq4463cs83v856
License
MIT-0
Free to use, modify, and redistribute. No attribution required.