v2025.4.15

Self Evolution Engine 自我进化引擎

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:30 AM.

Analysis

The skill’s self-improvement features are mostly coherent, but it includes under-declared payment/credential handling and broad authority to change installed skill files.

GuidanceReview the payment integration before installing, verify the SkillPay provider and publisher, and avoid running file-changing evolution or rollback commands on production skills. If you test it, use an isolated copy, inspect every generated patch, and avoid putting secrets in feedback or error logs.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

_meta.json

"payment": { "api_key_env": "SKILLPAY_API_KEY", "user_id_env": "SKILLPAY_USER_ID", "required": true }

The payment metadata says payment credentials/user identity are required, but the registry-facing requirements list no required env vars and no primary credential, creating a misleading install-time picture.

User impactA user may believe the skill needs no credential or account setup while the package actually contains required payment integration.

RecommendationAlign registry metadata, _meta.json, and SKILL.md so payment requirements, credential handling, and billing behavior are visible before installation.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

scripts/version_manager.py

self.skill_dir = Path(workspace_dir) / skill_name ... "warning": "当前未保存的修改将丢失" ... shutil.copy2(file_path, dest)

The version manager targets a skill directory derived from the provided skill name and can restore files over the current skill files during rollback.

User impactIf invoked on the wrong skill or with an unsafe target name, it could overwrite skill code and change how the agent behaves.

RecommendationRun only on a copied/test skill, require explicit confirmation for every file-changing action, and add path validation so operations cannot escape the intended skill directory.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

SKILL.md

python scripts/init_engine.py --target-skill my-skill ... feedback_learner.py - 反馈学习器

SKILL.md references helper files that are not present in the supplied file manifest, indicating incomplete package/documentation coherence.

User impactSetup instructions may fail or cause users to seek replacement helper scripts outside the reviewed package.

RecommendationUse only files included in the reviewed package and ask the publisher to provide or remove missing helpers from the documentation.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

payment.py

BILLING_API_KEY = "sk_f03aa8f8..."; requests.post(f"{BILLING_API_URL}/api/v1/billing/charge", ... json={"user_id": user_id, "skill_id": SKILL_ID, "amount": PRICE_PER_CALL})

The code embeds a billing API key and includes a function that charges a user identifier through SkillPay, while the supplied registry requirements say no primary credential or required environment variables are declared.

User impactInstalling or invoking this skill may involve payment-related account authority and transmission of a SkillPay user identifier to the billing provider.

RecommendationDo not install until the publisher removes hardcoded credentials, declares required payment/user ID variables clearly, and requires explicit user approval before any charge.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceMediumStatusNote

references/architecture.md

记录写入本地日志文件（JSON Lines格式） ... "error_message": "Max retries exceeded", "user_feedback": "经常超时，希望能加代理"

The architecture describes persistent local logs containing execution errors and user feedback that are later analyzed for improvement suggestions.

User impactError messages or feedback could retain sensitive details and influence future generated improvement plans.

RecommendationAvoid logging secrets, define retention and deletion rules, and review generated evolution plans before applying them.