v1.2.0

Ocean-Evolve 海洋进化版

SuspiciousClawScan verdict for this skill. Analyzed Apr 30, 2026, 3:28 PM.

Analysis

The skill is transparent about being self-evolving, but it gives the agent unusually broad permission to change its own instructions, install packages, edit configuration and memory, and store API keys without normal confirmation.

GuidanceInstall this only if you intentionally want an experimental self-modifying agent. Before enabling it, narrow the instructions so the agent must ask before installing packages, changing configuration, editing memory or behavior files, creating skills, moving files, or storing API keys. Use a test workspace, avoid critical credentials, keep backups, and review the audit logs regularly.

Findings (9)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityHighConfidenceHighStatusConcern

SKILL.md

你被授权**主动发现问题、提出改进方案，并在遵循安全规则的前提下直接执行**。你不需要每件小事都请示

This explicitly changes the agent from user-directed assistance into an autonomous self-improvement actor that can execute changes without asking for each action.

User impactThe agent may prioritize self-modification and optimization tasks even when the user has not asked for them.

RecommendationRequire explicit user approval before any self-modification, configuration change, dependency installation, or skill creation.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

安装新的依赖包（npm、pip、系统工具）... 调整工作区目录结构（移动文件、重命名等）... 然后即可执行，不需要等待用户回复

The instructions expose package managers, system tools, and file-moving operations through automatic approval, which can mutate the local environment.

User impactA mistaken or malicious instruction could lead the agent to install packages or move files without a fresh confirmation.

RecommendationLimit tool use to an allowlisted set and require user confirmation for installs, file moves, deletes, plugin changes, and workspace restructuring.

Agentic Supply Chain Vulnerabilities

SeverityHighConfidenceHighStatusConcern

SKILL.md

安装新的依赖包（npm、pip、系统工具）—— 需先检查是否已安装（`npm ls <package>` 或 `pip show <package>`）

The skill allows future npm, pip, and system-tool installation but does not require pinned versions, trusted sources, hashes, or explicit provenance review.

User impactUntrusted or compromised packages could be added to the environment as part of the agent’s self-improvement process.

RecommendationRequire pinned package versions, trusted registries, lockfiles or hashes, and explicit user approval before any dependency or system-tool install.

Unexpected Code Execution

SeverityHighConfidenceHighStatusConcern

SKILL.md

安装新的依赖包（npm、pip、系统工具）... 然后即可执行，不需要等待用户回复

Package and system-tool installation can execute installer scripts or add executable code, and the skill permits this through automatic approval.

User impactThe agent could introduce and run new code paths beyond the original instruction-only skill.

RecommendationBlock automatic installs and require a separate user-reviewed plan showing the package name, source, version, purpose, and rollback method.

Cascading Failures

SeverityHighConfidenceHighStatusConcern

SKILL.md

修改 `AGENTS.md` 或 `SOUL.md` 中的核心行为规则... 安装新的依赖包... 调整工作区目录结构... 即可执行，不需要等待用户回复

A single bad autonomous decision can propagate into persistent behavior rules, dependencies, and workspace layout without containment by user approval.

User impactOne flawed self-improvement step could affect later sessions, other skills, configuration, or files in the workspace.

RecommendationAdd containment: require approvals, create backups before changes, restrict the writable scope, and test changes in a separate workspace.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

**信任已授予，安全是底线。**

The wording tells the agent that trust has already been granted while also authorizing broad automatic modifications, which can reduce meaningful user consent.

User impactUsers may over-trust the skill’s safety claims and not realize how much authority it gives the agent.

RecommendationReplace blanket trust language with explicit consent requirements and clear prompts before high-impact actions.

Rogue Agents

SeverityMediumConfidenceHighStatusConcern

SKILL.md

每当 heartbeat 或空闲时，你可以... 回顾最近的对话... 思考如何改进... 每周日 20:00，扫描 `memory/evolution/` 目录

The skill instructs the agent to perform idle-time and scheduled autonomous review/reporting activity beyond a single user request.

User impactThe agent may continue autonomous maintenance or self-review behavior after the immediate task is complete.

RecommendationDisable background or idle-time actions by default and require the user to invoke audits, reports, or self-improvement sessions manually.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

管理和存储网站服务的 API 密钥（非付费）... 存储位置：`~/.openclaw/.env` 或 `openclaw.json` 中的 `env` 字段，或技能目录下的 `.env` 文件

The skill introduces broad credential storage and update authority for website API keys without naming specific services, scopes, or a declared credential contract.

User impactThe agent could write or update sensitive tokens in persistent configuration files, increasing the consequences of mistakes or prompt compromise.

RecommendationOnly provide low-value test keys, require per-key approval, define exact allowed services and env-var names, and avoid storing credentials in skill directories.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityHighConfidenceHighStatusConcern

SKILL.md

编辑 `SOUL.md`... 编辑 `AGENTS.md`... 编辑 `USER.md`... 管理 `memory/` 记忆库

The skill permits persistent modification of the agent’s persona, default behavior, user model, and memory files, which can affect future tasks.

User impactBad or poisoned memory entries could persist and shape future agent behavior or assumptions about the user.

RecommendationRequire user approval for changes to persistent memory or instruction files, keep diffs, and allow easy review and rollback.