Ai Evolution Engine V2
v1.0.0AI自我进化引擎 - 基于SEA循环(Sense-Evolve-Act)的AI成长系统。自我评估、学习引擎、进化机制、协作学习、安全保障。
⭐ 2· 2.3k·30 current·31 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The description promises scanning ClawHub, installing new skills, updating knowledge, and a full SEA evolution pipeline. The actual shipped scripts are lightweight CLI loggers: they do not implement network scanning, skill installation, or robust update/rollback logic. One real capability is that assess.mjs reads '../../skills' to count installed skills, which accesses files outside the package — this partly aligns with 'assess' but is broader than the skill's own directory and not described in the metadata. Overall the declared purpose is not matched by the code.
Instruction Scope
SKILL.md instructs running scripts including 'collaborate.mjs' which is referenced but not present in the file manifest. The instructions mention scanning ClawHub and installing skills, but there is no implementation or explicit safe procedure for network access or installation. assess.mjs performs filesystem enumeration of '../../skills', which reads outside the skill directory; that I/O is not called out in requires or SKILL.md and may expose metadata about other installed skills.
Install Mechanism
There is no install spec (instruction-only install), so nothing will be downloaded or extracted during install. The risk surface is limited to the included Node scripts which will run only if invoked. No external URLs or package installs are attempted by the provided files.
Credentials
The skill requests only the node binary and declares no environment secrets or config paths, which is proportionate to the simple scripts included. However, the described capabilities (scanning ClawHub, installing skills, updating shared knowledge) would normally require network access and possibly credentials — none are declared. That mismatch is notable: either the skill is incomplete, or it would expect the agent to perform privileged operations without declaring required credentials.
Persistence & Privilege
The skill is not marked 'always' and does not contain code that persistently modifies agent configuration. The SKILL.md and evolve.mjs mention updating knowledge files (.learnings, MEMORY.md, knowledge/) and installing skills, but the provided scripts do not perform those writes. Still, assess.mjs's directory read could expose information about other installed skills. No explicit privileged persistence is present in the shipped code.
What to consider before installing
This skill is inconsistent: its README promises scanning and installing other skills and a collaborative script, but the code only logs messages and one script enumerates a ../../skills directory. Before running it: (1) ask the author to explain/restore the missing collaborate.mjs and any install/scan logic; (2) inspect the contents of scripts locally and run them in an isolated sandbox — they currently only log, but assess.mjs does read a sibling 'skills' directory which could reveal information about your environment; (3) avoid running it on production agents or systems with sensitive other-skill data; (4) if you expect it to actually install or update skills, require explicit disclosure of network endpoints, credentials, and a safe install procedure; (5) if you want to proceed, run node scripts in a container with no network and limited filesystem access so you can validate behavior first.Like a lobster shell, security has layers — review code before you run it.
latestvk979k10a447kvqq0npdncz0ctx827aqk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🧬 Clawdis
Binsnode