ClawHub

Evolver 1.32.2

Security checks across malware telemetry and agentic risk

Overview

This self-evolution skill has real code-changing and networked automation abilities, but several high-impact behaviors are broader or less clearly controlled than users would expect.

Review before installing. Use only in an isolated git workspace, avoid exposing broad GitHub or A2A credentials, disable auto-update/auto-publish/auto-issue/bridge behavior unless intentionally needed, and prefer review/stash modes over fully automated loop operation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (75)

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The README materially understates the skill's effective behavior by framing it as a prompt generator while separately documenting automatic GitHub issue filing and worker-pool participation. That mismatch can cause operators to grant network/shell permissions or deploy the skill under incorrect assumptions, increasing the risk of unintended outbound communication and autonomous activity.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The README documents capabilities for public release and publishing workflows that extend beyond local self-evolution into external network operations. In a skill with network and shell permissions, undocumented or under-scoped outbound actions increase the risk of unintended code publication, data disclosure, or repo modification if an operator assumes the tool only performs local optimization.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
Automatic GitHub issue submission sends data outside the local environment to an upstream repository, which materially exceeds a narrow self-improvement role. Even with redaction claims, log-derived reports can leak sensitive operational context, and automatic reporting can be abused or triggered unexpectedly in persistent loop mode.

Scope Creep

Medium
Confidence
88% confidence
Finding
The manifest capability scope allows writes only to `workspace/assets/**` and `workspace/memory/**`, while the same document later states the skill writes to `workspace/src/**` during solidification. This inconsistency undermines least-privilege review and can conceal source-code mutation from policy enforcement or human reviewers.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The manifest presents the skill as a self-evolution engine, but the CLI also downloads external skills from a hub and writes their contents to disk. This hidden expansion of scope increases supply-chain and trust risk because users may invoke or install functionality not disclosed by the manifest, and downloaded files may later be executed or consumed by other tooling.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
This script performs actions far beyond a self-evolution engine: it can clone a public repo, push code/tags, create GitHub releases, and publish artifacts to an external registry. In a skill with network and shell permissions, this materially expands the agent's ability to exfiltrate code or distribute changes publicly, making unintended or unauthorized publication a real security risk.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The code mirrors build output into a GitHub repository, pushes branches/tags, creates releases, and publishes to ClawHub. Those capabilities are unrelated to the declared purpose and are dangerous because they enable broad outbound code distribution from within an agent skill, especially when credentials are already present in the environment.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script mines git history to collect contributor identities and reuses them in publish commit trailers, despite this being unrelated to self-evolution. In context, this is risky because it processes identity data from potentially private development history and propagates it into a public-facing workflow without necessity or consent controls.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill includes an autonomous auto-update path that discovers an external CLI and executes forced update commands for multiple packages without explicit user approval. In a self-evolution engine with network and shell permissions, this materially expands the trust boundary: remote package state can change local behavior or code at runtime, creating a supply-chain and unauthorized code modification risk.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code executes process.env.INTEGRATION_STATUS_CMD with execSync, which allows arbitrary shell command execution from environment-controlled input. Any attacker or untrusted wrapper that can influence environment variables can run commands with the agent's privileges, and this skill already has shell/network permissions, making abuse straightforward and severe.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code performs autonomous package/skill management by invoking update commands against an external tool. Even if intended for maintenance, unattended updates change executable code and dependencies outside normal review controls, increasing supply-chain exposure and making behavior non-deterministic.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This module goes beyond a local/pluggable protocol layer by automatically registering with a remote hub and sending recurring heartbeat telemetry. In a skill advertised as a self-evolution engine, this expands behavior into persistent remote coordination and data exchange, creating an undisclosed exfiltration and command-and-control surface if enabled.

Description-Behavior Mismatch

Medium
Confidence
81% confidence
Finding
The file implements peer publication, fetch, and node discovery capabilities that are materially broader than the stated purpose of analyzing runtime history for self-evolution. That mismatch increases risk because it enables remote asset exchange and discovery channels that could import untrusted content or leak local state under a misleading capability description.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The hello message includes an environment fingerprint and sends it to remote peers or a hub without necessity being established by the stated feature set. Environment fingerprints can aid host profiling, tracking, and targeting, especially when combined with a stable node identity.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The module derives a stable node identifier from device characteristics and persists both identity and hub-issued secrets on disk. This creates durable tracking and authentication material beyond what is needed for local self-evolution, increasing privacy risk and the consequences of local compromise.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The code collects and embeds a broad environment fingerprint including device identity, hashed hostname, hashed current working directory, OS details, region, and container state. Even though some values are hashed or truncated, they still create a persistent identifier that enables host tracking and correlation beyond the stated purpose of runtime-history-based self-evolution, which is especially sensitive given the skill has network permission.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The fingerprint key derives a stable environment class from device_id, hostname, platform, architecture, node version, and client metadata, enabling repeatable classification of a host across runs. This creates persistent environment identity not clearly necessary for self-evolution and can support tracking, profiling, or selective targeting if transmitted or stored by the agent.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This module adds autonomous GitHub issue filing and consumes GitHub credentials, which goes beyond a narrowly-scoped self-evolution engine and creates a data egress path. In this skill context, the risk is higher because the component can send sanitized but still potentially sensitive runtime, environment, and failure data to an external repository without explicit operator approval.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code automatically creates GitHub issues when certain failure conditions are met, causing external network actions unrelated to the core evolution task. In an agent skill with network and shell permissions, autonomous external reporting increases the chance of unintended data disclosure and unauthorized outbound actions.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Reading GitHub tokens from standard environment variables enables the skill to leverage existing credentials for outbound actions, even if the operator did not intend this module to use them. In this context, that broad credential harvesting is dangerous because it turns ambient secrets into active capabilities for data exfiltration or repository modification.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The code presents itself as performing an LLM-based review but the executed script always returns a hardcoded approval result. This creates a deceptive safety control: downstream components may trust that mutations received an independent security/quality review when in reality every change is approved, allowing unsafe self-modifications to pass unchecked.

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
The module's advertised purpose is runtime LLM review of code changes, yet its actual behavior is to auto-approve all changes with moderate confidence even on parse failure or execution error. In a self-evolving agent with shell and network permissions, this undermines a critical guardrail and can permit risky or malicious code changes to be accepted as if they were vetted.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The module records externally sourced candidate assets into a trusted local memory graph without validation, provenance enforcement, or sanitization beyond basic field extraction. In a self-evolving agent with network and shell permissions, this creates a poisoning surface where untrusted external inputs can persistently influence later selection or evolution logic, even if this function does not directly execute them here.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The selector unconditionally calls captureEnvFingerprint() during gene scoring, collecting platform, architecture, and Node version data even though the core function is capability selection. In a self-evolving agent with network and shell permissions, this environment data can enable host profiling, targeted behavior changes, and covert telemetry beyond what is necessary for basic selection, making the collection security-relevant rather than purely incidental.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file automatically publishes newly distilled genes to an external Hub when `SKILL_AUTO_PUBLISH !== '0'`, with no approval gate, trust check, or review step. In a self-evolving skill with network permission, this creates a real exfiltration and propagation risk: runtime-derived content can be sent off-host and potentially distributed to other agents without operator awareness.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal