ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Evolve

Local DevOps/autonomy skill for OpenClaw (safe evolution loop with guardrails).

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 705 · 6 current installs · 6 all-time installs
by@Delkoman88
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description claim a local DevOps/autonomy controller; the SKILL.md matches that (it delegates to a local evolvectl.sh and exposes plan/generate/test/promote/rollback). That capability is coherent with the stated purpose, but the skill does not declare any config paths or permissions even though 'promote' implies modifying agent/skill state — a minor mismatch.
!
Instruction Scope
The runtime instructions simply say 'delegate to evolvectl.sh' (overrideable via EVOLVECTL). They do not include the controller code, do not constrain what the script may do, nor enumerate the files/configs it may read or write. This grants broad discretion to run arbitrary local commands and to modify system/agent state, which is outside the safe, well-scoped instructions expected for a registry skill.
Install Mechanism
Instruction-only skill with no install steps or bundled code. This is low-risk from an install perspective because nothing is written by the skill itself.
Credentials
The skill declares no required env vars or credentials; SKILL.md mentions an optional EVOLVECTL override env var. While the lack of requested secrets is appropriate, the skill's actions (promote/rollback active skills) imply it will need access to agent configuration or skill files — yet no config paths were declared. That mismatch is worth caution.
!
Persistence & Privilege
The skill does not request 'always' and allows autonomous invocation (default). Autonomous invocation combined with the ability to run an arbitrary local controller script that can promote/modify skills increases blast radius. The skill's metadata does not state what system files it will change, so this is a notable privilege surface.
What to consider before installing
This skill is just a thin wrapper that calls a local script (evolvectl.sh). That means the real behavior depends entirely on that script — the registry entry itself contains no code to inspect. Before installing or enabling this skill: 1) locate and inspect the evolvectl.sh the agent would run (or set EVOLVECTL to a vetted path) and verify it does only what you expect; 2) confirm what files/configs the controller will read/write (especially agent/skill configs) and whether it needs elevated privileges; 3) limit agent autonomy or run the skill in a restricted/sandboxed environment until you trust the controller; 4) request source/homepage or a signed release from the author — absence of a homepage and the mismatched metadata version/published timestamp are additional signals to verify origin. If you cannot review the controller script, do not enable autonomous invocation for this skill.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.0.2
Download zip
latestvk971pr080qa3wcr8ysavr15j7n8105wh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧬 Clawdis

SKILL.md

evolve

Local DevOps/autonomy skill for OpenClaw.

This skill provides a safe "evolution loop" controller (barandales) that:

  • snapshots current status
  • generates candidates
  • tests candidates
  • promotes candidates into active skills
  • supports rollback

Commands

  • evolve plan
  • evolve generate <slug>
  • evolve test <slug>
  • evolve promote <slug>
  • evolve rollback <slug>

Notes

This skill delegates to a local controller script (evolvectl.sh). You can override its location with EVOLVECTL.

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…