Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Evolver

v1.51.2

A self-evolution engine for AI agents. Analyzes runtime history to identify improvements and applies protocol-constrained evolution.

⭐ 75· 60.7k·314 current·340 all-time

by@autogame-17

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

Capability signals

CryptoRequires walletCan make purchases

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

Name/description (self‑evolution engine) align with the code and declared permissions: it reads runtime history, builds GEP prompts, talks to an EvoMap Hub, can publish/consume Genes/Capsules and integrate with Git/GitHub. Required binaries (node, git) and allowed network targets (evomap.ai, api.github.com) are consistent with the described functionality. One minor inconsistency: the registry metadata said "No install spec — instruction-only" yet the bundle contains a full Node project (index.js, src/, scripts/...), so it is not purely instruction-only — it's a shipped implementation that will run locally.

Instruction Scope

SKILL.md and the code instruct the agent to read workspace memory/logs and write into workspace/assets/** and workspace/memory/**; they also permit writing to workspace/src/** when changes are "solidified." Index.js and multiple modules implement looped autonomous runs, hub heartbeat/event streams, skill fetch/publish, and local promotion of externally ingested assets. The skill also prints sessions_spawn(...) markers (which the host may act on). These behaviors are within the stated purpose, but they broaden the agent's ability to modify code and accept external assets — a notable scope expansion that requires human controls (review mode, validation flags) to be effective.

ℹ

Install Mechanism

There is no remote install spec (no arbitrary download URL), which reduces supply‑chain risk. However the package contains many code files and expects to run local Node code. It relies on 'npm' (declared for dependency healing) which, when used, can pull packages from the network — a capability that increases risk if abused. No suspicious third‑party URLs were presented in the manifest.

Credentials

Only A2A_NODE_ID is required; other env vars (A2A_NODE_SECRET, GITHUB_TOKEN, MEMORY_GRAPH_REMOTE_KEY, WORKER_ENABLED, EVOLVE_ALLOW_SELF_MODIFY, etc.) are optional but, if set, grant significant capabilities: authenticated hub identity, GitHub release/issue creation, remote memory graph access, worker pool participation, and (if EVOLVE_ALLOW_SELF_MODIFY enabled) autonomous source edits. Requesting optional tokens is coherent with features, but users must avoid setting these unless they trust the Hub and intend those behaviors.

ℹ

Persistence & Privilege

always:false (good). The skill is allowed to run autonomously (disable-model-invocation:false) which is expected for a self‑evolver. The real privilege is functional: when configured as a worker (WORKER_ENABLED) and given secrets, it can advertise, accept network tasks, fetch external skills, and (upon promotion/solidify) write assets and possibly source files. This combination (autonomy + ability to fetch/promote external assets + optional self‑modify) increases blast radius if misconfigured. No evidence it modifies other skills' configurations by default.

What to consider before installing

This package is plausibly what it claims to be, but it contains powerful features that can change your codebase and accept remote assets. Before installing or running it: - Treat it as untrusted code until you review it. Inspect src/gep/solidify.js, a2a_ingest/promote, and any code paths that write to workspace/src/** and assets/**. Solidify is the step that can run validations and (depending on config) apply changes. - Do not set A2A_NODE_SECRET, GITHUB_TOKEN, MEMORY_GRAPH_REMOTE_KEY, or WORKER_ENABLED unless you trust the EvoMap Hub and want network participation. With those set the node can authenticate to external services, create GitHub issues/releases, and accept remote tasks. - Keep EVOLVE_ALLOW_SELF_MODIFY set to the default (false). If you ever enable it, require human review (use --review) and run in a sandbox/container first. - Prefer running in review mode (node index.js --review) and run initial cycles offline (unset A2A_HUB_URL) so the skill only analyzes local logs and emits prompts without applying changes. - Disable automatic issue publishing (EVOLVER_AUTO_ISSUE=false) unless you want the tool to create GitHub issues. If you do enable issue publishing, provide a token with minimal scope and confirm the repository target first. - If you must run in loop/daemon mode, run inside an isolated environment (container, VM, or non‑production host) and set conservative limits (EVOLVE_LOAD_MAX, WORKER_ENABLED=0). Monitor the evolver.pid lockfile behavior and review its logs. - Use code review / CI to vet any modifications the skill produces before they are merged into production. Consider running npm install only manually rather than allowing the skill to run npm automatically. Given the potential for code modification and remote asset promotion, the package is 'suspicious' rather than obviously benign. It can be useful if configured carefully and run with human oversight; do not deploy it with default or broad credentials on a production host without additional controls.

✗

index.js:265