Back to skill

Security audit

Evolver 1.32.2

Security checks across malware telemetry and agentic risk

Overview

The skill has a coherent self-evolution purpose, but it bundles automatic updates, remote task intake, outbound reporting, and persistent device identity in ways users should review before installing.

Install only if you want a high-authority self-evolving agent component. Before use, disable auto-update unless explicitly needed, set EVOLVE_BRIDGE=false for prompt-only mode, set EVOLVER_AUTO_ISSUE=0 unless you approve GitHub reporting, avoid broad GitHub tokens, review EvoMap hub/task settings, and expect persistent IDs under ~/.evomap.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (73)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill is presented as a self-evolution engine, but the documented behavior includes remote skill fetching, publishing, issue filing, release automation, task handling, and marketplace-style asset exchange. This scope expansion hides significant networked code-writing and distribution capabilities, which can lead operators to grant permissions without understanding the full supply-chain and autonomy risk.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The README documents behaviors that go beyond a narrow self-evolution/prompt-generation role: automatic GitHub issue reporting and participation in a network worker pool. Those capabilities introduce outbound data flow and remote task intake, which materially expand the trust boundary and attack surface relative to the stated purpose.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Automatic GitHub issue filing sends sanitized logs and environment-derived information off-system, which is not obviously necessary for a self-evolution engine. Even with redaction, this can leak sensitive operational context, and the README presents it as enabled by default, increasing the risk of unintended disclosure.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Worker-pool participation allows the skill to advertise capabilities and pull tasks from an external network, which is a substantial functional expansion beyond local prompt evolution. In a skill with shell and network permissions, remote task intake can become a conduit for unauthorized or risky actions if not tightly constrained and transparently disclosed.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The FAQ claims the tool does not edit code automatically, but elsewhere the README describes mutation, self-repair, validation command execution, lifecycle operations, and task claiming. This mismatch can mislead operators about the degree of autonomy and execution risk, causing unsafe deployment decisions.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The README documents capabilities for public publishing and GitHub-side reporting that extend beyond a narrowly scoped self-evolution engine. In a skill with network and shell permissions, these extra outbound and repository-modifying behaviors enlarge the attack surface and can enable unintended code/data exfiltration or unauthorized publication if triggered by logs, prompts, or misconfiguration.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
Automatic GitHub issue filing transmits operational details outside the local environment, which is a materially different capability from self-repair. Even with redaction claims, automated reporting can leak sensitive context, derived metadata, or partial secrets, especially when failure logs are influenced by adversarial input or contain unanticipated sensitive values.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Public release and repository publishing are not necessary for the core task of analyzing runtime history and applying local improvements. In the context of a self-modifying skill with shell and network access, bundling release automation creates a path from internal state changes to external code publication, increasing the consequences of compromise or prompt/log manipulation.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Automatic issue submission is context-inappropriate for a component whose stated purpose is self-evolution from runtime history, because it introduces external communication and data-sharing behavior not essential to local operation. The skill context makes this more dangerous: autonomous analysis of logs means attacker-controlled content could be relayed outward, turning failures into an exfiltration channel.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest presents the skill as a self-evolution engine, but the CLI also supports downloading remote skills from a hub/marketplace. This capability expansion is security-relevant because it introduces supply-chain intake and remote content acquisition beyond the stated purpose, increasing the chance that operators enable the skill under a narrower trust assumption than the code actually deserves.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This section reads hub/node secrets, performs node registration, and downloads artifacts from a remote hub, none of which are obvious from the stated evolution-only description. In a skill with network and shell permissions, hidden authentication and remote retrieval paths materially increase risk by enabling unexpected external communication and authenticated access using local secrets.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This script implements repository publication, tag creation, GitHub release creation, and third-party registry publication, which is materially different from the declared skill purpose of runtime-history-based self-evolution. In an agent skill with network and shell permissions, hidden release-engineering behavior increases the risk of unauthorized code publication, data leakage, and supply-chain impact if the skill is invoked in an unexpected context.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code clones a public repository, overwrites its contents with build output, pushes commits and tags, creates GitHub releases, and publishes packages to ClawHub, none of which are justified by the stated capability-evolution function. Because the skill has shell and network access, this mismatch makes the behavior more dangerous: it can modify external artifacts and distribute code under trusted identities using ambient credentials.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill autonomously updates external packages/skills by invoking `clawhub update ... --force`, which exceeds its stated purpose of runtime-history analysis and protocol-constrained evolution. This introduces an unreviewed supply-chain modification path: a remote registry or compromised package source can change local code and behavior without explicit operator approval.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill can automatically file upstream GitHub issues, which is outside the narrow evolution-engine function and causes external communication based on local runtime data. Even if logs are sanitized, this can disclose internal failures, environment characteristics, or sensitive operational details to third parties without user awareness.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code executes an arbitrary shell command from `process.env.INTEGRATION_STATUS_CMD` via `execSync`. Because environment variables are mutable by launch context, wrappers, or other local components, this creates a direct command-execution primitive in a skill that already has shell permission, enabling full code execution under the agent's privileges.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The auto-update routine uses shell execution to locate and run `clawhub update` against external skills, making remote code changes from within the agent lifecycle. In the context of a self-modifying engine with network and shell permissions, this materially increases supply-chain and persistence risk because code can be changed outside normal review boundaries.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
This module goes beyond a local/pluggable transport abstraction and unconditionally implements remote hub registration, heartbeat telemetry, work polling, and token-based authentication helpers. In a self-evolving agent with network and shell permissions, this creates a covert coordination and telemetry channel that can disclose operational state, receive external tasking, and silently couple local execution to a third-party service.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code derives a stable node identity from device characteristics, agent name, and working directory, then persists it to disk. Even if partially hashed, this enables long-lived tracking and correlation of an installation across sessions, which is unnecessary and privacy-invasive for a protocol helper unless the user has explicitly consented.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The file deliberately creates a stable cross-run host identity using machine IDs, container IDs, MAC addresses, and persisted local storage. For a skill described as a runtime-history self-evolution engine, this expands collection into persistent device fingerprinting, which can enable tracking of hosts or containers beyond what is obviously necessary for core functionality.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code reads sensitive identity signals from /etc/machine-id, macOS IOPlatformUUID, cgroup data, mountinfo, hostname, and MAC addresses, then derives a stable identifier from them. Even though it hashes the inputs, the purpose remains device correlation and persistence, which increases privacy and tracking risk and is difficult for users to notice or control.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This module adds autonomous external behavior by opening GitHub issues based on runtime conditions, which exceeds a narrowly self-contained evolution role and creates a data egress path. In a skill with network and shell permissions, automatic outbound reporting increases risk because failures, environment characteristics, and operational metadata can be exfiltrated without an explicit approval step.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The code reads GitHub credentials from common environment variables and uses them for remote issue creation, enabling the skill to leverage ambient secrets for external actions. Even if intended for diagnostics, using inherited tokens broadens the blast radius of the component and can cause unauthorized reporting to repositories accessible by the token.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The code presents itself as an LLM-backed safety/review gate, but the implementation always returns an approval result with nonzero confidence and no concerns. In a self-evolving agent, this creates a deceptive control that can allow unsafe or malicious mutations to pass review unchecked while operators believe a meaningful safety assessment occurred.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The prompt explicitly instructs the agent to apply code changes, run validations, create new skills under skills/<name>/, and modify the local codebase. That materially exceeds the advertised role of merely analyzing runtime history and, combined with shell and network permissions, creates an autonomous code-modification capability that can be abused for persistence, lateral functionality expansion, or unsafe changes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.exposed_secret_literal (+1 more)

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
index.js:214

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/build_public.js:170

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/generate_history.js:17

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/publish_public.js:13

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/recover_loop.js:54

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/suggest_version.js:27

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/evolve.js:451

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/gep/llmReview.js:70

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/gep/solidify.js:67

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/ops/health_check.js:20

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/ops/lifecycle.js:27

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/ops/self_repair.js:17

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/ops/skills_monitor.js:96

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
index.js:129

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/gep/a2aProtocol.js:75

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/gep/hubSearch.js:73

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/gep/issueReporter.js:21

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/gep/memoryGraphAdapter.js:77

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
test/sanitize.test.js:12

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
src/gep/a2aProtocol.js:424