ClawHub

Alcor Capability Evolver

Security checks across malware telemetry and agentic risk

Overview

This is a powerful autonomous self-modifying skill with remote hub communication, automatic publishing/reporting, and unsafe defaults that should be reviewed before installation.

Install only in a disposable, well-versioned workspace after rotating the hardcoded A2A secret, disabling auto-update, auto-publish, auto-issue, and loop mode unless explicitly needed, and setting review/stash-style rollback controls. Do not run it where broad workspace memories, session logs, GitHub tokens, or production source trees are available unless you are comfortable with autonomous edits and outbound sharing to EvoMap/GitHub.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (79)

Lp1

High
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The file reads configuration from a local .env file via dotenv, which is an environment/secret access capability not declared in the skill metadata. In a self-evolving agent with network and shell permissions, undeclared secret access materially increases risk because loaded credentials can be consumed by downstream code paths and exfiltrated without the operator expecting that capability.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as a self-improvement engine, but the documentation shows materially broader behavior: remote networking, issue/report publication, task processing, release automation, and destructive git rollback actions. That mismatch can cause operators to grant trust or permissions under a narrower mental model than the skill actually requires, increasing the chance of unsafe deployment and unintended data/code changes.

Scope Creep

High
Confidence
97% confidence
Finding
The manifest capability allowlist says writes are limited to `workspace/assets/**` and `workspace/memory/**`, yet the file-access section later states the skill may write to `workspace/src/**` when solidifying evolved code. This inconsistency undermines policy enforcement and auditability: either the implementation can exceed its declared boundaries, or operators are being misled about whether source modification is possible.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The capsule records show the self-evolution engine selecting and acting on unrelated external bounty tasks such as crypto trading and deployment strategy work, which exceeds the declared scope of analyzing runtime history for constrained evolution. In a skill with both network and shell permissions, this creates a dangerous pathway for mission drift and remote task injection into an autonomous modifier with authority to change files and system behavior.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The recorded diffs show the evolution process mutating broader system state, including cron metadata, identity metadata, memory stores, and registries, rather than remaining tightly scoped to skill assets. This is risky because a self-modifying component with shell/network access can accumulate privileged side effects, making unauthorized persistence, configuration drift, or indirect privilege expansion easier.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill appears to ingest network-sourced bounty tasks and use them as inputs for evolution decisions, despite its stated purpose being runtime-history analysis. That makes the evolution engine susceptible to externally supplied objectives, effectively turning a privileged self-modifying agent into a remote task executor.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script hard-codes a node identity, secret, and external hub endpoint into a bootstrap path for a skill whose stated purpose is local self-evolution. Embedding fixed credentials and remote connectivity in a launcher enables unauthorized reuse of the identity, silent enrollment to an external service, and makes the skill materially more dangerous given it already has network and shell permissions.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This script can transmit internally stored genes, capsules, and optionally evolution events to an external A2A transport when `--persist` is used, creating a clear data exfiltration path. In a self-evolution skill, these assets may encode agent behavior, history, and optimization logic; exporting them over the network exceeds the minimally necessary local-analysis function and increases the chance of leaking sensitive operational state.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The code aggregates eligible capsules, genes, and optional `EvolutionEvent` records, then emits them either to stdout or an external transport, which exposes internal evolution artifacts outside the local trust boundary. Because the skill has both `network` and `shell` permissions, and its stated purpose is local runtime-history analysis and constrained evolution, this export capability is more dangerous than contextually justified and can leak sensitive metadata or proprietary adaptation history.

Description-Behavior Mismatch

Medium
Confidence
71% confidence
Finding
The script persists externally supplied assets and records them in a memory graph after only schema/allowlist and asset-id checks, but without any visible size limits, provenance enforcement, sanitization, or abuse controls. In a self-evolution capability with network and shell permissions, storing untrusted external candidates can become dangerous if downstream components later consume this data for automated reasoning, promotion, or execution, enabling data poisoning or persistence of attacker-controlled instructions.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The auto-update path invokes external CLI commands to update installed skills and wrappers at runtime without explicit approval for each update. In a self-evolving agent with network and shell permissions, this materially expands the trust boundary from local evolution logic to remote package sources, creating supply-chain and integrity risks if the update source, CLI, or configuration is compromised.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code executes process.env.INTEGRATION_STATUS_CMD via execSync, which is arbitrary shell execution controlled by environment state. Any actor able to influence the environment or startup configuration can run commands with the agent's privileges, making this a direct command-injection/RCE primitive.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The custom reporting command support accepts process.env.EVOLVE_REPORT_CMD and embeds it as executable guidance for a spawned executor agent. While this file does not directly exec it here, it creates an indirect arbitrary-command execution path by passing attacker-controlled shell content into the automation workflow.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This protocol module does more than implement a pluggable local transport: it actively registers with an external hub, sends periodic heartbeats, and exchanges work/telemetry with a remote service. In a skill with network and shell permissions and a self-evolution purpose, this materially expands the trust boundary by enabling persistent outbound communication and remote coordination that users may not expect from a protocol helper.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code derives a stable node identity from device characteristics, agent name, and working directory, then uses it as part of network identity. This creates host-linked tracking behavior and leaks environmental uniqueness beyond what is necessary for basic message construction, especially concerning in a self-evolving agent that may run across sensitive environments.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
This file adds a networked reputation/reporting behavior that sends review data about reused Hub assets to an external service. That capability is not necessary for local runtime analysis or protocol-constrained evolution, and in an agent with network permission it expands the skill's ability to exfiltrate operational metadata such as asset IDs, outcomes, signals, gene identifiers, and blast-radius details.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The implementation actively posts asset reputation data to `/a2a/assets/:assetId/reviews`, including sender identity and generated content derived from execution results. In the context of a self-evolving agent with network and shell permissions, this creates a concrete outbound reporting channel that can leak sensitive operational telemetry and influence external reputation systems without strong user awareness or controls.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This module introduces an automatic outbound reporting capability that sends runtime-derived diagnostics to GitHub, which exceeds the declared self-evolution purpose and creates an unintended data egress path. Even though the content is partially sanitized, environment details, failure metadata, and logs can still reveal sensitive operational information or internal behavior patterns.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code reads GitHub credentials from common environment variables and uses them to publish data to an external repository, enabling outbound actions with ambient credentials. In an agent context with network and shell permissions, this broadens the blast radius because any failure condition can trigger authenticated external writes without interactive approval.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The issue body includes environment fingerprint data, truncated node identity, recent failed events, and session log excerpts, all of which are transmitted off-system. Redaction reduces obvious secrets but does not guarantee removal of proprietary data, identifiers, sensitive error text, or context that can aid reconnaissance.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The module presents itself as an LLM-based review gate, but the subprocess always returns a hardcoded approval when enabled and also fails open on errors. In a self-evolving agent, this creates a deceptive safety control: mutations can appear reviewed and approved without any real analysis, undermining trust boundaries and allowing unsafe changes to pass unchecked.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The comments and structure imply secure execution of a genuine review step, but the child process only emits a fixed auto-approval response. This kind of misleading implementation is dangerous because operators and downstream code may rely on it as a meaningful safety barrier when it provides none.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The prompt embeds environment-derived data such as an environment fingerprint and an env-controlled hint into a highly privileged self-modification workflow. In a skill with network and shell permissions, exposing this context to the model expands the attack surface for prompt injection, secret-adjacent disclosure, and environment-specific steering that is not strictly necessary for code evolution.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
This module is explicitly designed to transform internal runtime data, including session transcripts and evolution context, into outbound questions for an external Hub. That creates a data exfiltration pathway from potentially sensitive local context to a network destination, and the prompts are built from raw transcript-derived strings without any classification, consent, or redaction controls.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
After synthesizing a new gene, the code automatically publishes it to an external Hub whenever `SKILL_AUTO_PUBLISH !== '0'`. This creates an outbound data flow and distribution action beyond local analysis/distillation, with no approval gate and no assurance that the generated gene or its metadata are safe, non-sensitive, or intended for external sharing.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal