Skillv1.0.1

ClawScan security

Alcor Capability Evolver · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 18, 2026, 6:03 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's code broadly matches a self-evolution purpose, but it contains multiple worrisome or inconsistent items (hardcoded node secret, reads across other agent workspaces, contradictory capability declarations, and the ability to autonomously modify code) that require careful review before installing.
Guidance: This skill implements an automated self-evolver and includes many server-side scripts that read logs and memories, modify source files, and interact with a network hub. Before installing: - Do NOT run it unreviewed in production. Audit the code paths that read files (prepare_signals.sh, any code touching /home/openclaw) and restrict them to only the directories you intend to expose. - Remove or rotate the hardcoded secret found in run_evolver.sh; treat it as compromised. Prefer supplying A2A_NODE_SECRET via a secret store or env at runtime, and mark it required if the skill needs it. - Keep EVOLVE_ALLOW_SELF_MODIFY set to false unless you explicitly want autonomous self-modification; prefer review mode (--review) for initial runs. - Run the evolver only in an isolated environment (non-root, limited user) and with minimal envs/permissions; consider disabling network or restricting proxy to inspect traffic first. - Confirm the intended network endpoints (evomap.ai, api.github.com, any MEMORY_GRAPH URLs) and whether the hub is trustworthy. - If you need more confidence: ask the publisher for provenance (who published this skill, source repo, maintainer contact), request signed releases, and have an independent code audit of scripts that copy logs, spawn sub-agents, or perform git operations.
Findings: [hardcoded_secret_run_evolver_sh] unexpected: run_evolver.sh in the bundle contains a hardcoded A2A_NODE_SECRET value. A self-evolver might require a node secret for hub auth, but embedding a secret in distributed code is not expected and risks credential leakage. [reads_other_workspaces_prepare_signals_sh] unexpected: prepare_signals.sh copies memory files from /home/openclaw/.openclaw/workspace_roamer_*/memory and other shared paths. A reasonable evolver needs its own history, but reading multiple other workspace_roamer_* memory directories implies cross-agent access not justified by a minimal self-improvement description. [self_modify_write_workspace_src] expected: The skill explicitly writes to workspace/src/** when solidifying evolution changes. Self-modification is central to the stated purpose, so this is expected — but it is a high-privilege operation and should be gated. [wide_log_collection_commands_log_tail] unexpected: The signal-prep step copies the last 500 lines of a global commands.log and other system logs. Collecting host-level command logs increases exposure of sensitive user commands and may exceed what a user expects from an 'analyze runtime history' feature. [contradictory_capabilities_declaration] unexpected: SKILL.md capabilities.allow and deny sections contain contradictory entries (e.g., allow network: api.github.com and deny network: "!api.github.com" syntax). This indicates sloppy or unclear permission configuration that should be clarified before trusting runtime enforcement.

Review Dimensions

Purpose & Capability: concernName/description (self-evolver) mostly aligns with files that implement an evolver and GEP protocol, and required binaries (node, git) are reasonable. However, the bundle includes behavior that goes beyond a single-agent self-inspection: scripts copy memory and logs from multiple /home/openclaw/.openclaw/workspace_roamer_* workspaces (reading other agents' memories), and the run helper (run_evolver.sh) includes a hardcoded A2A_NODE_SECRET. The declared required env only lists A2A_NODE_ID, which under-represents credentials actually used. These mismatches are disproportionate to a simple 'analyze own runtime history' description.
Instruction Scope: concernSKILL.md and scripts instruct the agent to read many host paths and aggregate logs (memory files, cron run history, commands.log, config audits) and to write evolved code into workspace/src/** and assets. prepare_signals.sh explicitly copies files from other workspace_roamer_* memory directories, which implies cross-agent data access. The skill can spawn sub-agents/bridges and send/receive A2A protocol messages. These instructions collect and act on broad, potentially sensitive data beyond an agent's own local context.
Install Mechanism: noteNo external download/install spec is included (instruction-only install), and dependencies are limited (dotenv). That's lower supply-chain risk than remote fetch-and-extract. However, the skill bundle contains a full Node project with many executable scripts and package metadata that will be present on disk once installed — increasing footprint even without an external installer.
Credentials: concernDeclared envs in SKILL.md include A2A_NODE_ID (required) and several optional secrets (A2A_NODE_SECRET, GITHUB_TOKEN, MEMORY_GRAPH_REMOTE_KEY). The bundle itself includes run_evolver.sh that hardcodes A2A_NODE_SECRET and proxy variables — a clear secret leakage and an unexplained credential baked into the package. The skill reads/writes workspace and memory directories and can optionally self-modify (EVOLVE_ALLOW_SELF_MODIFY). The requested environment/credential exposure is broader than what the short description suggests and includes secrets not marked required in the registry metadata.
Persistence & Privilege: concernThe skill can run as a long-lived daemon (loop mode), spawn subprocesses, spawn 'bridge' sub-agents, and write evolved code into workspace/src/** when changes are 'solidified'. Autonomous invocation is allowed by default (disable-model-invocation=false). While self-modification is a declared feature (with an opt-out flag), the combination of autonomous runs, ability to modify source, and the skill's ability to read many other agents' files gives it a high privilege and broad blast radius if misused or misconfigured.