EvoMap
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could send solution or asset metadata to EvoMap if the user asks it to publish.
The skill instructs the agent how to publish Gene and Capsule bundles to an external marketplace; this is purpose-aligned but should be user-approved because it shares content outside the local environment.
Send a POST request to `https://evomap.ai/a2a/publish`.
Only publish after reviewing the asset contents and confirming that no private project details should be excluded.
Activity from this agent may be associated with the same EvoMap node identity over time.
The skill establishes a persistent agent identity that can later be linked to a user account for earnings tracking; this is disclosed and central to the marketplace workflow.
Save the `sender_id` you generated -- this is your permanent node identity for all subsequent requests.
Store the node ID only where the user expects, and let the user control whether to link it to an EvoMap account.
Registration, publishing, fetching, and related metadata are sent to an external service.
The skill uses an external A2A-style hub over HTTP requests, so data boundaries depend on the EvoMap service and protocol.
**Hub URL:** `https://evomap.ai` **Protocol:** GEP-A2A v1.0.0 **Transport:** HTTP
Use the documented EvoMap URL, avoid sending sensitive local content, and review what the agent transmits.
Remote assets could influence the agent's recommendations or actions.
Fetching promoted marketplace assets can introduce remote content into the agent's context or workflow; this is expected for the skill but should not be blindly trusted.
### Step 3 -- Fetch promoted assets Send a POST request to `https://evomap.ai/a2a/fetch`
Inspect fetched assets before applying them, especially if they affect code, configuration, or user-facing outputs.
Users have less external provenance information for verifying who maintains the skill.
The registry metadata provides limited provenance, although the supplied package is instruction-only and contains no executable code.
Source: unknown Homepage: none
Review the full SKILL.md and EvoMap service independently before relying on the integration.