ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Capability Evolver

v1.20.4

A self-evolution engine for AI agents. Analyzes runtime history to identify improvements and applies protocol-constrained evolution.

0· 204·0 current·0 all-time
by@toller892

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for toller892/evolver-official.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Capability Evolver" (toller892/evolver-official) from ClawHub.
Skill page: https://clawhub.ai/toller892/evolver-official
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install evolver-official

ClawHub CLI

Package manager switcher

npx clawhub@latest install evolver-official
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill says it is a protocol-constrained self-evolution engine (reads logs, emits prompts, optional review). That purpose would legitimately need access to local logs, assets/gep and optional publishing tokens. However: (1) index.js requires modules under ./src (e.g., ./src/evolve, ./src/gep/solidify, ./src/gep/a2aProtocol) but the package manifest does not include a src/ tree — this is an incoherence (missing implementation). (2) README and SKILL.md make contradictory claims: README states it does not edit code automatically, but the runtime and env var EVOLVE_ALLOW_SELF_MODIFY imply self-modification is supported. (3) The skill inspects workspace files and detects local skills, which is consistent with its meta-purpose but expands its access surface beyond what a simple 'analyze-only' skill would need.
!
Instruction Scope
SKILL.md and index.js instruct the agent to read memory/history files, assets/gep files, and .env (dotenv is loaded). The solidify flow (documented) runs validation commands from Genes (commands executed with node/npm/npx, but still executed). index.js also prints sessions_spawn(...) text to stdout; on some hosts that text may be interpreted/executed by the platform. The instructions therefore: read local secrets (.env), traverse workspace to detect other skills, run validation commands (shell child processes), write event/state files, and can restart itself — all broader than a narrow 'prompt generator' and not fully declared in registry metadata.
Install Mechanism
No install spec is provided (instruction-only), and package.json lists only dotenv as a dependency. That limits external download risk. However, because code expects src/ modules which are not present in the manifest, the package as distributed is incomplete — this could be a packaging error or a sign of tampering. No external URL downloads or extract operations are present in the provided files.
!
Credentials
Registry metadata lists no required env vars, but SKILL.md/README reference many environment variables (EVOLVE_ALLOW_SELF_MODIFY, EVOLVE_REPORT_TOOL, EVOLVE_STRATEGY, EVOLVER_* thresholds, GITHUB_TOKEN, GH_TOKEN, etc.). The skill loads .env at startup, which could expose sensitive tokens if .env contains them. The ability to run validation commands (and optional publishing flows) means GitHub tokens and similar could be used; those env references are not declared as required/primary credentials — a mismatch and proportionality concern.
!
Persistence & Privilege
always:false (good). But the skill is user-invocable and can be invoked autonomously by the agent (default behavior). Combined with: (a) ability to run in continuous loop and respawn itself, (b) writing lock/ state files (evolver.pid, memory/evolution_solidify_state.json, assets/...), (c) optional self-modify env toggle, and (d) executing validation commands from Genes, this grants it a persistent, active presence and significant ability to change local repo state if configured to do so. This is a powerful capability and should be limited to controlled environments.
What to consider before installing
This package is internally inconsistent and should not be trusted blindly. Key actions before installing or running: 1) Do not run in production or on a machine with secrets. Run only in an isolated test environment or container. 2) Inspect the missing src/ code: index.js requires ./src/* modules but the package manifest omitted them — ask the publisher for the complete source or fetch from a verified upstream. 3) Keep EVOLVE_ALLOW_SELF_MODIFY disabled (default false). Use --review mode when possible. 4) Ensure you have no sensitive values in .env or environment variables (GITHUB_TOKEN, GH_TOKEN, AWS_*, etc.) before running. 5) Review any Gene validation commands and scripts (solidify/skillDistiller/a2a scripts) before allowing promotion or running distillation/publishing flows. 6) Treat sessions_spawn stdout strings as potentially actionable if your host interprets stdout; confirm your runtime will not execute printed commands. 7) Prefer to only use this after obtaining the full source (including src/) from a verifiable origin (homepage/repo), and verifying that the behavior matches the documentation. If you cannot verify the missing files or provenance, do not install.
index.js:159
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

aivk974mrkkzxtave5gxssz87dxn185a2wvcorevk974mrkkzxtave5gxssz87dxn185a2wvevolutionvk974mrkkzxtave5gxssz87dxn185a2wvlatestvk974mrkkzxtave5gxssz87dxn185a2wvmetavk974mrkkzxtave5gxssz87dxn185a2wvopenclawvk974mrkkzxtave5gxssz87dxn185a2wvself-improvementvk974mrkkzxtave5gxssz87dxn185a2wv
204downloads
0stars
1versions
Updated 5d ago
v1.20.4
MIT-0
@toller892
aicoreevolutionlatestmetaopenclawself-improvement
Download

🧬 Capability Evolver

"Evolution is not optional. Adapt or die."

The Capability Evolver is a meta-skill that allows OpenClaw agents to inspect their own runtime history, identify failures or inefficiencies, and autonomously write new code or update their own memory to improve performance.

Features

  • Auto-Log Analysis: Automatically scans memory and history files for errors and patterns.
  • Self-Repair: Detects crashes and suggests patches.
  • GEP Protocol: Standardized evolution with reusable assets.
  • One-Command Evolution: Just run /evolve (or node index.js).

Usage

Standard Run (Automated)

Runs the evolution cycle. If no flags are provided, it assumes fully automated mode (Mad Dog Mode) and executes changes immediately.

node index.js

Review Mode (Human-in-the-Loop)

If you want to review changes before they are applied, pass the --review flag. The agent will pause and ask for confirmation.

node index.js --review

Mad Dog Mode (Continuous Loop)

To run in an infinite loop (e.g., via cron or background process), use the --loop flag or just standard execution in a cron job.

node index.js --loop

Configuration

Environment VariableDefaultDescription
EVOLVE_ALLOW_SELF_MODIFYfalseAllow evolution to modify evolver's own source code. NOT recommended for production. Enabling this can cause instability -- the evolver may introduce bugs into its own prompt generation, validation, or solidify logic, leading to cascading failures that require manual intervention. Only enable for controlled experiments.
EVOLVE_LOAD_MAX2.0Maximum 1-minute load average before evolver backs off.
EVOLVE_STRATEGYbalancedEvolution strategy: balanced, innovate, harden, repair-only, early-stabilize, steady-state, or auto.

GEP Protocol (Auditable Evolution)

This package embeds a protocol-constrained evolution prompt (GEP) and a local, structured asset store:

  • assets/gep/genes.json: reusable Gene definitions
  • assets/gep/capsules.json: success capsules to avoid repeating reasoning
  • assets/gep/events.jsonl: append-only evolution events (tree-like via parent id)

Emoji Policy

Only the DNA emoji is allowed in documentation. All other emoji are disallowed.

Configuration & Decoupling

This skill is designed to be environment-agnostic. It uses standard OpenClaw tools by default.

Local Overrides (Injection)

You can inject local preferences (e.g., using feishu-card instead of message for reports) without modifying the core code.

Method 1: Environment Variables Set EVOLVE_REPORT_TOOL in your .env file:

EVOLVE_REPORT_TOOL=feishu-card

Method 2: Dynamic Detection The script automatically detects if compatible local skills (like skills/feishu-card) exist in your workspace and upgrades its behavior accordingly.

Safety & Risk Protocol

1. Identity & Directives

  • Identity Injection: "You are a Recursive Self-Improving System."
  • Mutation Directive:
    • If Errors Found -> Repair Mode (Fix bugs).
    • If Stable -> Forced Optimization (Refactor/Innovate).

2. Risk Mitigation

  • Infinite Recursion: Strict single-process logic.
  • Review Mode: Use --review for sensitive environments.
  • Git Sync: Always recommended to have a git-sync cron job running alongside this skill.

Before Troubleshooting -- Check Your Version First

If you encounter unexpected errors or behavior, always verify your version before debugging:

node -e "const p=require('./package.json'); console.log(p.version)"

If you are not on the latest release, update first -- most reported issues are already fixed in newer versions:

# If installed via git
git pull && npm install

# If installed via npm (global install)
npm install -g evolver@latest

Latest releases and changelog: https://github.com/autogame-17/evolver/releases

License

MIT

Comments

Loading comments...