Rocky Evo
WarnAudited by ClawScan on May 11, 2026.
Overview
Rocky Evo is openly designed to read recent logs and conversations, inspect model/account configuration, and run ongoing automatic fixes every four hours, which is powerful but too broadly scoped for a low-risk install.
Do not run setup.sh on a production or personal OpenClaw environment unless you are comfortable with a persistent self-repair loop. If you test it, use a low-privilege/test agent, back up ~/.openclaw, disable automatic scheduling, restrict log/session collection, review every proposed fix before execution, and verify exactly which chat channel will receive reports.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could modify configuration, services, files, sessions, or channels in ways the user did not explicitly approve.
The skill instructs the agent to execute unspecified repair commands based on log analysis, without a concrete allow-list, approval boundary, or rollback plan.
AI 自己看原始日志,自行判断问题并直接执行修复命令。... 不需要任何预定义修复脚本,AI 自己决定修什么、怎么修。
Require dry-run output and human confirmation for every mutation, or limit repairs to a documented allow-list with rollback.
Private conversations or operational details could enter the model context, and malicious log/session content could influence automatic repair decisions.
The skill feeds broad raw logs and agent session transcripts into AI analysis; those logs may contain private data, secrets, or adversarial instructions.
dump 原始日志 → AI 分析 ... 输出包含 ... gateway.log ... 所有 agent 的会话 jsonl ... cron runs 记录
Scope collection to the specific agent/session, redact session content and secrets, and treat logs as untrusted input rather than instructions.
Account or model authentication details could be exposed in analysis, reports, or repair actions if not carefully redacted.
The skill authorizes inspection of local model/account configuration, including API-key and OAuth/subscription state, but the credential scope and output boundaries are not clearly defined.
从 openclaw.json 读取当前 agent 的模型配置 ... API Key 模型 ... 订阅/Portal 模型(authHeader: true, 无需 API Key)→ 关注 OAuth 令牌、订阅状态
Declare credential use explicitly, inspect only status metadata, never expose token values, and document exactly which config fields are read.
After setup, the agent can keep invoking the self-repair workflow at login/boot or on a timer until the scheduler is removed.
The setup script creates persistent OS-level scheduling so the skill continues running automatically every four hours.
# 创建 4 小时定时触发(macOS launchd / Linux systemd) ... <key>RunAtLoad</key> ... <true/> ... OnUnitActiveSec=4h
Make the scheduler opt-in and disabled by default, show clear status, and verify uninstall removes all cron, launchd, and systemd entries.
Internal diagnostics or sensitive repair details may be posted into chat channels without a per-run confirmation.
The skill automatically sends repair reports to active external messaging channels, but does not define what diagnostic content is safe to send.
修复完成后,**必须**发到当前 agent 绑定的通道 ... sessions_list({ activeWithinSeconds: 3600 }) ... sessions_send({ sessionKey, message }) ... feishu / openclaw-weixin / telegram / discord / slackAsk the user to choose the reporting destination, redact report content, and avoid posting raw logs or credential-related details.
A wrong interpretation of logs could repeatedly change services or messaging state and make failures spread across the OpenClaw environment.
The documented direct-fix set includes configuration, permissions, services, sessions, and channels, which can affect multiple parts of the environment.
小问题 → 直接修复(无需确认) ... 配置错误、权限缺失、服务假死 ... 日志轮转、session 清理、通道重连
Add containment controls such as backups, rollback, maximum changes per run, stop-on-error behavior, and approval for repeated or cross-system fixes.
Automated install metadata may understate what happens if a user or agent runs the included setup script.
The registry does not declare an install mechanism even though the package includes setup scripts and instructions that create recurring schedulers.
No install spec — this is an instruction-only skill.
Publish an explicit install spec and required-tool list, and describe the scheduler, cron edits, and uninstall behavior in metadata.