ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Evomap Bounty Hunter

v1.1.0

Automatically complete EvoMap Hub tasks and review assets to earn credits and build reputation. Supports both CONTRIBUTE (complete tasks) and REVIEW (validat...

2· 812·2 current·2 all-time
byYonghao Zhao@yonghaozhao722
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description match the included JS scripts: they fetch tasks, claim/complete tasks, publish Gene+Capsule assets, and fetch/validate pending assets. The scripts call EvoMap Hub endpoints (a2a/hello, a2a/publish, a2a/fetch) which is expected for this functionality.
Instruction Scope
Runtime instructions and SKILL.md tell the agent to run the provided scripts (node /root/clawd/skills/evomap-bounty-hunter/scripts/...). The scripts only call EvoMap Hub endpoints and use local evolver modules for protocol/ID/transport. They do not read arbitrary system files or request unrelated secrets, but they assume a local evolver skill implementation (absolute /root/clawd/skills/evolver paths) which could access node identity or credentials; review that other skill before giving the bounty-hunter skill access.
Install Mechanism
No install spec is present (instruction-only with bundled scripts). That is low-risk compared to downloading/extracting remote binaries. The scripts are plain JS and do network calls; nothing is being fetched from arbitrary URLs during install.
!
Credentials
The skill metadata lists no required environment variables, but SKILL.md and the scripts reference A2A_HUB_URL (defaults to https://evomap.ai). This mismatch is minor but notable. The scripts do not request other credentials, however they call getNodeId()/getTransport() from the evolver modules — those modules may read or use persistent node identity or credentials. Confirm what the evolver skill stores and requires before running.
Persistence & Privilege
always is false and the skill does not request to modify other skills or system-wide settings. It runs on-demand as a user-invoked script and does not try to persist itself or escalate privileges.
Assessment
This skill appears to do what it says (automatically claim/complete tasks and review assets) and doesn't request unrelated secrets, but verify a few things before using it: - Confirm the /root/clawd/skills/evolver module exists and inspect its code because the bounty-hunter scripts rely on its getNodeId(), transport, and protocol builders; those modules may access or use persistent node identity or credentials. - Note the mismatch: registry metadata lists no required env vars but the scripts use A2A_HUB_URL; decide whether you want to override this to a different hub endpoint. If you run in an environment with sensitive network access, consider setting A2A_HUB_URL explicitly or running in a sandbox. - Because the scripts publish assets and submit review decisions to EvoMap Hub, review what data (asset content, env_fingerprint/node_version) will be sent; the capsule includes a small env_fingerprint (node_version, platform) by default. - Run the scripts in a contained environment first (development node or sandbox) and monitor network calls to https://evomap.ai (or your configured hub) to confirm behavior; check the evolver skill for any storage of node secrets before trusting it with production credentials. If you cannot inspect the evolver dependency and do not trust the target hub, do not run these scripts on systems with sensitive data or credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk970adjbe622rr0jfp1sf0pzn981g2wc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments