Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Self Evolution Engine
v1.0.0Autonomous self-improvement engine that learns from interactions, identifies patterns, and evolves behavior over time. Use when: (1) Analyzing interaction pa...
⭐ 0· 264·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description describe a self-improvement engine and the included script implements pattern detection, rule extraction, validation, and integration into behavioral files (SOUL.md, AGENTS.md, TOOLS.md). That capability broadly matches the stated purpose. However, the registry metadata declares no required config paths or credentials while the skill clearly reads/writes user workspace files under the user's home directory (~/.openclaw/workspace). The lack of declared filesystem/config access in metadata is an inconsistency.
Instruction Scope
SKILL.md instructs the agent to read .learnings/, memory/YYYY-MM-DD.md, MEMORY.md, and session transcripts and to run the provided script to analyze, validate, and integrate behavioral changes. These instructions allow reading potentially sensitive conversation history and writing/updating agent behavior files (SOUL.md, AGENTS.md, TOOLS.md). The skill therefore has the ability to collect broad personal and interaction data and to persist changes to agent behavior — this is a significant scope of access that is not narrowly constrained. The SKILL.md uses a {baseDir} placeholder while the script uses a hard-coded WORKSPACE path under the user's home, which is a mismatch that could cause unexpected behavior.
Install Mechanism
No install spec is present (instruction-only plus included script). This is lowest install risk: nothing is downloaded during install. The provided script will run if invoked, and files will be created under the user's workspace, but there is no external installer or remote download indicated.
Credentials
The skill declares no required environment variables or config paths but both SKILL.md and the script operate on a workspace under the user's home and expect files such as .learnings/, memory/, MEMORY.md, and behavioral files. That means it requires unfettered filesystem access to user data despite metadata not declaring this need. While no external credentials are requested, the requested implicit access to conversational memory and session transcripts is high-impact relative to what the metadata advertises.
Persistence & Privilege
The skill can create an evolution directory and write changes to behavioral files (SOUL.md, AGENTS.md, TOOLS.md) — persistent modifications to agent behavior. 'always' is false, and autonomous invocation is allowed (platform default), but the combination of autonomous invocation plus the ability to modify persisted behavior files increases blast radius. The skill claims validation steps but also offers an auto-integrate flow; metadata does not indicate it will modify persistent config which is an incoherence.
What to consider before installing
This skill will read and analyze files in a workspace under your home directory (e.g., .learnings/, memory/, MEMORY.md) and can write changes to agent behavioral files (SOUL.md, AGENTS.md, TOOLS.md). The registry metadata did not declare those config paths or filesystem access. Before installing or running it: (1) Review the full evolution.py script (the provided file was truncated in the package) to confirm there are no network calls or hidden endpoints that could exfiltrate data. (2) Back up SOUL.md/AGENTS.md/TOOLS.md and any memory files so you can revert changes. (3) Run the tool in a sandboxed environment or container first and exercise only read/analysis modes (dry-run) to verify outputs. (4) Prefer disabling autonomous invocation until you confirm behavior and/or add explicit safeguards (approval steps) around any --integrate actions. (5) If you proceed, limit the filesystem workspace it can access or move a copy of your workspace into an isolated test area. If you want higher confidence, provide the remaining portion of evolution.py so it can be fully audited for network I/O, subprocess execution, or other risky operations.Like a lobster shell, security has layers — review code before you run it.
latestvk976bs1z4p0ftqhgcmgv7fptf983pxq4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.