Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Auto Improvement Orchestrator Skill
v1.0.2Skill 自动评估和改进管线。9 维结构评分(含 LLM-as-Judge)、4 角色加权、 类别修正系数(tool/knowledge/orchestration/rule)、Pareto front 回归保护 (security 2%/efficiency 10%/其他 5%)、trace-aware 失败...
⭐ 0· 13·1 current·1 all-time
by_silhouette@lanyasheng
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's codebase (generator, discriminator, evaluator, executor, learner, session-feedback) matches the stated purpose of evaluating and auto-improving SKILL.md artifacts. However, the metadata/registry claim 'no required env vars' and 'no required config paths' is inconsistent with code and docs that reference model APIs (e.g., Anthropic/claude CLI usage, ANTHROPIC_API_KEY) and explicit local paths (e.g., ~/.claude/projects). That discrepancy should be resolved — the code legitimately needs model credentials and can access local session logs, so the declared requirements are incomplete.
Instruction Scope
SKILL.md and README explicitly instruct running Python scripts that read user session logs (session-feedback-analyzer reads ~/.claude/projects/*.jsonl), run model CLI calls (e.g., 'claude -p'), run tests (pytest), and apply edits to other skills' SKILL.md files. These actions are coherent with the stated goal but are high-impact: they access private local data and modify repository files. The SKILL.md also contains a pre-scan prompt-injection signal (unicode control characters) embedded in the documentation which could indicate attempt to influence downstream LLM judgment chains. Overall the runtime instructions give the skill broad discretion to read private files and make changes — acceptable for this purpose but sensitive and should only be run in a controlled environment with explicit consent and inspection.
Install Mechanism
There is no install spec (instruction-only), yet the package includes ~15 skills and many Python scripts intended to be executed directly from the repo. That reduces friction (no external downloads) but means running code on-disk will execute many modules. No remote install URLs were used (low supply-chain risk), however running the included scripts without inspection will execute unreviewed logic. The presence of many tests and references to running with '--mock' is helpful; prefer running with mocks/dry-run in an isolated environment first.
Credentials
The registry metadata lists no required environment variables, but the code and README clearly reference model integration and environment credentials (e.g., ANTHROPIC_API_KEY, usage of 'claude -p', and possibly other model tokens). The session-feedback analyzer reads local Claude session files (~/.claude/projects), which is sensitive. Asking the user to point the tool at their home directory and to provide API keys is proportionate to the skill's function (it needs model access and user feedback), but the omission in declared requirements is a mismatch that can mislead users about what secrets and local data the skill will access.
Persistence & Privilege
The skill does modify other skills' SKILL.md files via its executor (append/replace/update actions) and intentionally creates backups and receipts for rollback. That behavior is coherent with an auto-improvement orchestrator and the code includes backup/rollback protections. 'always' is false and model invocation is allowed (normal). Because the skill can autonomously apply changes to user files, treat it as high privilege — run in a sandbox or with thorough review and human gate(s) enabled.
Scan Findings in Context
[unicode-control-chars] unexpected: The static scan found unicode control characters in SKILL.md (prompt-injection pattern). This is not needed for the described functionality and may be an attempt to manipulate LLM processing or evaluation heuristics. Remove or review such characters before use; consider them suspicious.
What to consider before installing
What to consider before installing or running this skill:
1) Incomplete declarations: Although registry metadata lists no required env vars, the code and README expect model access (e.g., Anthropic/Claude or other LLM keys) and the use of the local Claude CLI. Expect to supply API keys or to use mock mode. Do not provide secrets until you review where they are used.
2) Local data access: The session-feedback analyzer intentionally reads ~/.claude/projects/*.jsonl to extract user corrections. That is sensitive personal/work data. Only run the feedback components if you understand and consent to that access; prefer running with a copied/scrubbed dataset or with the option turned off.
3) File modifications: The executor will apply edits to SKILL.md files and has rollback, but you should ensure your repository is backed up and run first with --dry-run/--mock and human review gates enabled. Inspect the 'execute.py' and 'rollback.py' behavior and test the backup/restore flow in a sandbox.
4) Prompt-injection artifact: SKILL.md contains unicode control characters flagged by the scanner. Treat this as a red flag — remove or sanitize control characters and re-open the file in a safe editor before use. These characters can change how LLMs parse the prompt.
5) Audit network activity: Before running, search the code for outbound network calls (requests, urllib, subprocess that calls curl/gh/ssh) and for any hardcoded endpoints. The project is self-contained (no remote install), but the runtime may call external APIs (LLM providers, telemetry). If you must run, do so in an isolated container or VM, and monitor outbound connections.
6) Use safe invocation modes: Follow README suggestions: run with '--mock' where available; prefer evaluation-only/read-only modes first (e.g., max-iterations=1, --dry-run, --memory-dir in a temp directory). Run the test suite locally (pytest) to build confidence.
7) Review credentials and config: Grep for environment variables like ANTHROPIC_API_KEY, OPENAI_API_KEY, CLAUDE CLI usage, or other tokens in the codebase and documentation. Only supply keys that are scoped and revocable; avoid using high-privilege account keys.
8) Consider manual gating: Because the tool can autonomously propose and apply edits, keep human-in-the-loop gate enabled and review the gate/review CLI (review.py) behavior before enabling automatic execution in batch/autoloop.
If you want, I can (a) scan the repo for occurrences of network calls and env-var usage, (b) extract the exact places where credentials are referenced (file + line example), or (c) produce a short checklist and recommended container command-line to run the skill in an isolated sandbox with mocks enabled.skills/improvement-discriminator/scripts/score.py:402
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97brxz4j4403p2cr4btpaxh9984bys0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.