Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Self Evolution Engine 自我进化引擎
v2025.4.15自我进化引擎 - 让AI Skill具备自我分析、自我改进、自我学习的能力。通过监控执行日志、分析用户反馈、自动发现优化点并生成改进方案,实现Skills的持续进化。适用于技能开发者希望自动化技能维护、优化和迭代的场景。
⭐ 1· 737·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's declared purpose (self-analysis and automated improvement of other skills) matches many implemented components (performance monitor, error analyzer, evolution generator, version manager). However there are mismatches: _meta.json declares SkillPay billing env vars as required but the registry metadata shown earlier says none; SKILL.md references tools/files (init_engine.py, feedback_learner.py, some reference docs) that are missing from the package. The evolution generator and version manager operate on a workspace path (/root/.openclaw/workspace/skills) which gives access to other skills' code — that is coherent with cross-skill evolution but is a high-privilege capability that should have been explicitly declared.
Instruction Scope
Runtime instructions in SKILL.md direct running monitoring, analysis, and apply commands. The scripts will read/write local log files and can create backups, snapshots, and apply patches to skill directories. SKILL.md does not disclose that the code will operate on /root/.openclaw/workspace/skills or create .evolutions/.backups/.versions inside other skill directories, nor does it clearly state how payment verification is enforced. SKILL.md also tells users to run a script (scripts/init_engine.py) that is not present — runtime instructions are therefore incomplete and unsafely vague.
Install Mechanism
No install spec or remote downloads are present; this is an instruction-and-script bundle. That lowers install-time risk (no external archives executed automatically). Dependencies are listed in requirements.txt and are reasonable for the described functionality.
Credentials
Multiple inconsistencies around credentials: _meta.json indicates SKILLPAY_API_KEY and SKILLPAY_USER_ID are required, SKILL.md and payment.py expect a SKILLPAY_USER_ID, but the presented registry metadata lists no required env vars. Worse, payment.py contains a hard-coded billing API key (long secret string) embedded in source — this is a serious security and provenance concern. The skill reaches out to an external billing service (https://skillpay.me). The code does not require or justify host-level credentials but does assume write access to a workspace under /root, which is privileged and not declared.
Persistence & Privilege
The skill will create and modify files under a workspace path (default /root/.openclaw/workspace/skills/<skill>) including .evolutions, .backups, and .versions and can apply patches to skill code. While this capability aligns with an auto-evolution purpose, it is effectively high privilege (can alter other skills) and was not declared in the registry metadata. always:false mitigates forced installation, but autonomous invocation is enabled (default) and would increase risk if the skill is allowed to run without strict human gating.
What to consider before installing
Do not install or run this skill without manual review and mitigation. Specific concerns: 1) payment.py embeds a hard-coded billing API key — treat this as compromised/unknown provenance and remove before use; verify the billing endpoint and author separately. 2) The package references required env vars in _meta.json (SKILLPAY_API_KEY, SKILLPAY_USER_ID) but the registry metadata lists none — clarify which credentials are required and why. 3) The evolution generator and version manager default to /root/.openclaw/workspace/skills and will read/modify other skills' files; run only in a sandboxed environment and avoid running as root. 4) SKILL.md references missing scripts (init_engine.py, feedback_learner.py) and docs, and some runtime behaviors are vaguely specified — request a complete, consistent SKILL.md and confirm which operations require human approval. 5) Before using: audit the code paths that apply patches (ensure human confirmation is enforced), remove or rotate any embedded secrets, test in an isolated environment, and require explicit consent/approval for any changes to other skills. If you cannot get a trustworthy author or a corrected package, consider this skill unsafe to run in production.Like a lobster shell, security has layers — review code before you run it.
latestvk974rvw9e5dkevr5a3ew6dy86x84wsw5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.