ClawHub
Back to skill

Security audit

QClaw Self-Evolver

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-aligned for a self-evolving agent, but it creates persistent background behavior and stores user correction history without enough consent, retention, or rollback controls.

Install only if you intentionally want a persistent self-evolving agent. Before enabling it, review or disable the cron job, inspect what is written under ~/.qclaw/workspace/.learnings and ~/.qclaw/workspace/skills, avoid including secrets in corrections, and require manual review before generated skills or prompt changes become active.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (11)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that installation will create files and overwrite `SKILL.md`, but it does not prominently warn the user or require explicit confirmation before doing so. Automatic file creation and overwriting can destroy existing configuration or content and changes persistent agent behavior in ways the user may not expect.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill says installation will register a recurring cron job every 3 days, but does not present a clear warning about persistent background execution or obtain explicit consent for scheduled tasks. Silent cron registration creates ongoing automated behavior that can consume resources, repeatedly modify state, and continue analyzing data long after the initial interaction.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill describes automatic analysis of conversation history and task history to derive learning records and new skills, but does not warn users that their past interactions may be mined and retained. This creates a privacy and transparency issue because sensitive prompts, corrections, or operational context may be processed and persisted without informed consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script persists user-provided correction text directly to markdown files without any notice, consent flow, minimization, or filtering. In practice, users may include sensitive prompts, secrets, personal data, or internal context in these corrections, and the tool silently creates a retention sink in the workspace.

Ssd 3

Medium
Confidence
98% confidence
Finding
The auto-learning design directs the agent to retain user corrections and dialogue-derived patterns in persistent records, which can capture sensitive user content and internal operational details. Because this retention is automatic and coupled with later processing, it increases the risk of privacy leakage, unintended profiling, and long-term storage of data the user did not expect to be memorialized.

Ssd 3

Medium
Confidence
98% confidence
Finding
The documented directory structure and records show systematic persistent logging of corrections, errors, feature requests, and behavior patterns from conversations. This broad collection expands the attack surface and creates durable local artifacts that may expose sensitive information if the workspace is shared, backed up, or later consumed by other tools.

Ssd 3

Medium
Confidence
99% confidence
Finding
The workflow explicitly instructs immediate writing of detected user corrections into `pending.md` and later merging into long-term learning files. Immediate persistence without confirmation or filtering can capture accidental disclosures, confidential instructions, or sensitive corrections and preserve them indefinitely.

Ssd 3

Medium
Confidence
94% confidence
Finding
The script is explicitly designed to retain user corrections and related text in persistent files, creating a durable record of natural-language interaction content. This becomes security-relevant because conversational corrections often contain sensitive operational details, credentials, proprietary data, or personal information that users do not expect to be archived.

Ssd 3

Medium
Confidence
97% confidence
Finding
The 'wrong' and 'right' fields are written verbatim into persistent records, so any sensitive text entered by a user is permanently copied to disk. Because the data is stored raw and unescaped, the script increases the chance of accidental disclosure through backups, repo inclusion, shared workspaces, or later inspection by other tools/users.

Ssd 3

Medium
Confidence
93% confidence
Finding
The flush operation promotes pending records into a long-term learnings file, extending the lifetime and discoverability of previously captured user content. This makes accidental retention more severe because data that may have been intended as temporary is silently copied into a cumulative archive.

Self-Modification

High
Category
Rogue Agent
Content
4. 注册 cron 定时任务(每3天运行 SEA 进化扫描)

使用方式:
    python install_self_evolver.py
"""

import os
Confidence
90% confidence
Finding
self_evolve

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal