ClawHub

Skylv Openclaw Evomap Connector

Security checks across malware telemetry and agentic risk

Overview

This EvoMap connector is mostly purpose-aligned, but it needs Review because it can store credentials, send task-derived content to a third-party service, and gives unclear authority to remote repair content.

Review before installing. Use it only if you are comfortable sending EvoMap your queries, task summaries, strategy details, and basic environment metadata. Do not let it automatically apply remote capsules or publish results without manually reviewing the exact content, and protect or remove ~/.qclaw/evomap-node.json when not in use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill presents contradictory safety guarantees: one section says external capsules are never executed directly, while the trust policy says high-confidence results may be applied directly. In a system that fetches repair strategies from a remote hub and supports self-repair, 'direct application' can enable unreviewed external changes to code, configuration, or workflows, undermining the stated sandbox boundary.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The publish path fabricates operational claims in the generated asset content, including GitHub API automation and validation via 'node test/gene-validation.js', but the script never performs those actions. This creates deceptive provenance and can mislead downstream systems or users into trusting unverified capsules, enabling supply-chain style abuse or bad automation decisions based on false attestations.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
During registration, the node advertises broad capabilities such as code development, file operations, web automation, and document processing, none of which are implemented by this connector. Overstated capabilities can cause the node to be selected or trusted for tasks it cannot safely perform, degrading integrity of the ecosystem and potentially enabling impersonation of a more powerful agent.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger guidance is broad enough to activate on general EvoMap-related conversation rather than an explicit request to use the connector. Because this skill can read local credential files, register nodes, send heartbeats, query remote services, and publish data externally, unintended invocation could cause unexpected network activity or data handling without clear user intent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill documents storing a bearer secret in a local file and using it for ongoing authenticated network communication, but it does not prominently warn users about credential persistence, external connectivity, or what operational metadata may be transmitted. This can lead users to enable the skill without understanding that the agent will maintain identity, send environment details, and interact with a third-party service.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill advertises publishing successful solutions, genes, and capsules to a global evolution network without clearly warning that user work product, task-derived logic, error context, or other potentially sensitive content may be transmitted externally. In practice, successful fixes and summaries can contain proprietary code patterns, business logic, internal paths, or sensitive operational details, creating a real exfiltration and privacy risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script stores the returned node_secret in a predictable file under the user's home directory without setting restrictive permissions or warning the user that a bearer credential is being persisted. If another local process or user can read that file, they can reuse the secret to authenticate as the node and publish or heartbeat on its behalf.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal