Robot Evolve
PassAudited by VirusTotal on May 6, 2026.
Overview
Type: OpenClaw Skill Name: robot-evolve Version: 3.0.1 The skill implements an 'autonomous evolution' system that performs background maintenance tasks (file cleanup, memory compression, and skill scanning) during idle periods. While the intent is documented as benign maintenance, it possesses high-risk capabilities including scanning other installed skills in the system directory and modifying workspace configuration files without immediate user oversight. The use of hardcoded absolute paths (e.g., in `auto_evolve.py`) and a safety matrix that explicitly allows for package installations (pip/npm) as 'execute then notify' (L1) actions represents a significant privilege level that could be leveraged for persistence or unauthorized environment changes.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could treat environment changes or agent-behavior changes as allowed after-the-fact notifications instead of asking you first.
L1 actions do not require prior user acknowledgement, yet the matrix includes package installation, skill state changes, and sub-agent creation, which are high-impact operations beyond simple idle health checks.
"L1": {"requiresAck": false, ...}; rules include "安装 Python 包(pip install)" level "L1", "安装 Node.js 包(npm install -g)" level "L1", "启用 / 禁用一个技能" level "L1", and "创建子代理(sessions_spawn)" level "L1"Move package installs, skill enable/disable, config edits, and sub-agent creation to an explicit-confirmation level, and keep automatic idle mode limited to read-only checks or reversible cleanup.
Your agent’s identity, memory, or behavior context could be changed automatically, and older MEMORY.md content can be dropped without a demonstrated backup or true summary.
The script can create persistent agent context files and overwrite MEMORY.md during automatic compression, directly changing memory/instructions reused in later sessions.
REQUIRED_FILES = {"SOUL.md": "# SOUL.md\n\n## 身份\n\n双鱼座005 · 活泼俏皮版", ... "MEMORY.md": "# MEMORY.md..."}; ... with open(memory_file, "w", encoding="utf-8") as f: f.write(summary + recent_content)Require explicit approval before editing SOUL.md, USER.md, AGENTS.md, MEMORY.md, or IDENTITY.md; create backups before compression; and show a diff before applying persistent memory changes.
You may not be able to tell from the artifacts whether the skill is only invoked during chat handling or may be wired into a recurring background check elsewhere.
The script documentation describes recurring automatic or cron-style operation, while SKILL.md says the design does not rely on external cron/background processes; the artifact does not show a cron installer, but the trigger model is unclear.
"robot-evolve 健康检查脚本\n每30分钟自动运行,检查工作区状态并记录日志" and "python health_checker.py # 自动模式(cron调用)"
Clarify the exact trigger mechanism and avoid any background or cron scheduling unless the user explicitly opts in.
Credential expectations are ambiguous; users might over-trust the skill with secrets it does not appear to need.
The registry/capability signals mention sensitive credentials even though no credential contract is declared and the included code does not show actual credential use.
Capability signals: requires-sensitive-credentials; Required env vars: none; Primary credential: none
Do not provide API keys or credentials to this skill unless a specific, documented, purpose-aligned use is added and reviewed.
You may need to inspect how your agent will invoke these scripts and whether Python is available before relying on the skill.
The package contains runnable Python scripts but has no install spec or declared binary requirement in registry metadata; this is not malicious by itself, but it under-declares how the scripts are expected to be executed.
Install specifications: No install spec — this is an instruction-only skill; Code file presence: 4 code file(s)
Declare the Python runtime and the exact invocation/hook behavior in metadata, especially for any autonomous execution path.