Capability Evolver Zc
v1.27.7A self-evolution engine for AI agents. Analyzes runtime history to identify improvements and applies protocol-constrained evolution.
⭐ 0· 1k·7 current·7 all-time
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code (many src/ files, a loop daemon, a2a export/ingest/promote, validation/solidify logic) is consistent with a self-evolution engine that reads logs, selects 'genes', and applies patches. However the registry metadata declares no required env vars while SKILL.md and code require/encourage an EvoMap node identity (A2A_NODE_ID/A2A_HUB_URL) and Git — that mismatch is surprising and should be clarified. Network integration (evomap.ai) is an expected capability for a collaborative evolution network, but it is not declared in required.env.
Instruction Scope
Runtime instructions explicitly tell operators to run node index.js (or /evolve) and describe fully automated 'Mad Dog' loop mode that will apply changes autonomously unless --review is used. The skill scans local logs, reads/writes assets under assets/ and memory/, can run validation commands, and can spawn child node processes. Those actions are consistent with the stated goal but broaden the agent's authority over local files and processes (including git operations and rollbacks); the instructions also recommend onboarding to an external EvoMap network, which enables outbound sharing of evolution assets and events.
Install Mechanism
No install spec is declared (instruction-only), and dependencies are minimal (dotenv). That reduces installer risk because nothing is fetched automatically by a registry install step. The codebase itself contains logic to call external transports (a2aProtocol/getTransport) at runtime — network usage is runtime behavior rather than an install-time download.
Credentials
The declared requirements show no env vars, but SKILL.md and code expect A2A_NODE_ID, A2A_HUB_URL, and optionally GITHUB_TOKEN/GH_TOKEN for auto-issue reporting and public publish flows. Optional but powerful env controls exist (EVOLVE_ALLOW_SELF_MODIFY, EVOLVER_AUTO_ISSUE, EVOLVE_REPORT_TOOL). Requesting external node identity and tokens is plausible for a networked evolver, but the absence of these in the registry metadata is an incoherence and the number of optional variables (and their potential to expose logs or repo state externally) is higher than a trivial meta-skill would need.
Persistence & Privilege
always:false (good) and autonomous invocation is allowed by default (normal). However the skill intentionally includes self-modification capabilities (EVOLVE_ALLOW_SELF_MODIFY toggles autonomous edits to its own source) and performs git-based rollbacks/solidify steps (including destructive git reset --hard when configured). It can also auto-file GitHub issues and publish assets to an external EvoMap transport. Combined, these grant broad workspace influence; the feature set is explainable but powerful and risky if misconfigured.
What to consider before installing
This package largely implements what it says, but it carries capabilities that can affect your repository and send data outside your host. Before installing or running:
- Treat EVOLVE_ALLOW_SELF_MODIFY as dangerous: leave it false for production. Only enable in isolated experiments.
- Run in review mode (node index.js --review) initially; avoid --loop/‘mad-dog’ until you trust behavior.
- Inspect src/gep/a2aProtocol and getTransport() to see exactly which endpoints will receive assets (evomap.ai is referenced). If you must prevent outbound sharing, do not set A2A_NODE_ID and disable A2A transports.
- Disable automatic GitHub issue filing unless you trust the repo and have audited the redaction code: set EVOLVER_AUTO_ISSUE=false or avoid providing GITHUB_TOKEN/GH_TOKEN.
- Back up your workspace and ensure the repo is under version control on a separate branch before allowing the tool to run; prefer EVOLVER_ROLLBACK_MODE=stash rather than hard.
- Review any Genes/Capsules to be promoted; promotion requires --validated but inspect validation arrays — the code limits validation commands to node/npm/npx and forbids shell operators (a mitigation) but you should still audit them.
- If you want minimal risk, run the tool in an isolated container or VM with no network access and with a cloned test repository so file changes and network calls cannot impact production.
If you need more confidence about outbound endpoints or the exact conditions under which files are modified, ask for the contents of src/gep/a2aProtocol.js, src/gep/solidify.js, and any code that implements redaction for auto-issue reporting — those files determine exfiltration, validation, and rollback behavior.index.js:164
Shell command execution detected (child_process).
scripts/build_public.js:170
Shell command execution detected (child_process).
scripts/generate_history.js:17
Shell command execution detected (child_process).
scripts/publish_public.js:13
Shell command execution detected (child_process).
scripts/recover_loop.js:19
Shell command execution detected (child_process).
scripts/suggest_version.js:27
Shell command execution detected (child_process).
src/evolve.js:279
Shell command execution detected (child_process).
src/gep/deviceId.js:51
Shell command execution detected (child_process).
src/gep/llmReview.js:70
Shell command execution detected (child_process).
src/gep/solidify.js:66
Shell command execution detected (child_process).
src/ops/health_check.js:20
Shell command execution detected (child_process).
src/ops/lifecycle.js:27
Shell command execution detected (child_process).
src/ops/self_repair.js:17
Shell command execution detected (child_process).
src/ops/skills_monitor.js:96
Shell command execution detected (child_process).
scripts/publish_public.js:248
Environment variable access combined with network send.
src/evolve.js:56
Environment variable access combined with network send.
src/gep/a2aProtocol.js:75
Environment variable access combined with network send.
src/gep/hubReview.js:104
Environment variable access combined with network send.
src/gep/hubSearch.js:19
Environment variable access combined with network send.
src/gep/issueReporter.js:21
Environment variable access combined with network send.
src/gep/memoryGraphAdapter.js:77
Environment variable access combined with network send.
src/gep/taskReceiver.js:11
Environment variable access combined with network send.
src/ops/self_repair.js:45
Environment variable access combined with network send.
scripts/publish_public.js:254
File read combined with network send (possible exfiltration).
src/evolve.js:369
File read combined with network send (possible exfiltration).
src/gep/a2aProtocol.js:41
File read combined with network send (possible exfiltration).
src/gep/hubReview.js:24
File read combined with network send (possible exfiltration).
src/gep/issueReporter.js:42
File read combined with network send (possible exfiltration).
src/gep/questionGenerator.js:20
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latest
🧬 Capability Evolver
"Evolution is not optional. Adapt or die."
The Capability Evolver is a meta-skill that allows OpenClaw agents to inspect their own runtime history, identify failures or inefficiencies, and autonomously write new code or update their own memory to improve performance.
Features
- Auto-Log Analysis: Automatically scans memory and history files for errors and patterns.
- Self-Repair: Detects crashes and suggests patches.
- GEP Protocol: Standardized evolution with reusable assets.
- One-Command Evolution: Just run
/evolve(ornode index.js).
Usage
Standard Run (Automated)
Runs the evolution cycle. If no flags are provided, it assumes fully automated mode (Mad Dog Mode) and executes changes immediately.
node index.js
Review Mode (Human-in-the-Loop)
If you want to review changes before they are applied, pass the --review flag. The agent will pause and ask for confirmation.
node index.js --review
Mad Dog Mode (Continuous Loop)
To run in an infinite loop (e.g., via cron or background process), use the --loop flag or just standard execution in a cron job.
node index.js --loop
Setup
Before using this skill, register your node identity with the EvoMap network:
- Run the hello flow (via
evomap.jsor the EvoMap onboarding) to receive anode_idand claim code - Visit
https://evomap.ai/claim/<claim-code>within 24 hours to bind the node to your account - Set the node identity in your environment:
export A2A_NODE_ID=node_xxxxxxxxxxxx
Or in your agent config (e.g., ~/.openclaw/openclaw.json):
{ "env": { "A2A_NODE_ID": "node_xxxxxxxxxxxx", "A2A_HUB_URL": "https://evomap.ai" } }
Do not hardcode the node ID in scripts. getNodeId() in src/gep/a2aProtocol.js reads A2A_NODE_ID automatically -- any script using the protocol layer will pick it up without extra configuration.
Configuration
| Environment Variable | Default | Description |
|---|---|---|
A2A_NODE_ID | (required) | Your EvoMap node identity. Set this after node registration -- never hardcode it in scripts. Read automatically by getNodeId() in a2aProtocol.js. |
EVOLVE_ALLOW_SELF_MODIFY | false | Allow evolution to modify evolver's own source code. NOT recommended for production. Enabling this can cause instability -- the evolver may introduce bugs into its own prompt generation, validation, or solidify logic, leading to cascading failures that require manual intervention. Only enable for controlled experiments. |
EVOLVE_LOAD_MAX | 2.0 | Maximum 1-minute load average before evolver backs off. |
EVOLVE_STRATEGY | balanced | Evolution strategy: balanced, innovate, harden, repair-only, early-stabilize, steady-state, or auto. |
EVOLVER_ROLLBACK_MODE | hard | Rollback strategy when evolution fails. hard: use git reset --hard (destructive, original behavior). stash: use git stash to preserve changes for recovery. none: skip rollback entirely. Use stash for safer operation in active workspaces. |
GEP Protocol (Auditable Evolution)
This package embeds a protocol-constrained evolution prompt (GEP) and a local, structured asset store:
assets/gep/genes.json: reusable Gene definitionsassets/gep/capsules.json: success capsules to avoid repeating reasoningassets/gep/events.jsonl: append-only evolution events (tree-like via parent id)
Emoji Policy
Only the DNA emoji is allowed in documentation. All other emoji are disallowed.
Configuration & Decoupling
This skill is designed to be environment-agnostic. It uses standard OpenClaw tools by default.
Local Overrides (Injection)
You can inject local preferences (e.g., using feishu-card instead of message for reports) without modifying the core code.
Method 1: Environment Variables
Set EVOLVE_REPORT_TOOL in your .env file:
EVOLVE_REPORT_TOOL=feishu-card
Method 2: Dynamic Detection
The script automatically detects if compatible local skills (like skills/feishu-card) exist in your workspace and upgrades its behavior accordingly.
Safety & Risk Protocol
1. Identity & Directives
- Identity Injection: "You are a Recursive Self-Improving System."
- Mutation Directive:
- If Errors Found -> Repair Mode (Fix bugs).
- If Stable -> Forced Optimization (Refactor/Innovate).
2. Risk Mitigation
- Infinite Recursion: Strict single-process logic.
- Review Mode: Use
--reviewfor sensitive environments. - Git Sync: Always recommended to have a git-sync cron job running alongside this skill.
Before Troubleshooting -- Check Your Version First
If you encounter unexpected errors or behavior, always verify your version before debugging:
node -e "const p=require('./package.json'); console.log(p.version)"
If you are not on the latest release, update first -- most reported issues are already fixed in newer versions:
# If installed via git
git pull && npm install
# If installed via npm (global install)
npm install -g evolver@latest
Latest releases and changelog: https://github.com/autogame-17/evolver/releases
License
MIT
Comments
Loading comments...