Workspace Main
Security checks across malware telemetry and agentic risk
Overview
The package is advertised as a no-key multi-search helper, but the supplied artifacts contain a persistent self-evolving agent framework with memory access, shell execution, credentials, and external agent/network communication.
Do not install this as a search skill. If you intentionally want a Capability Evolver, obtain it from a trusted source, review the full code, remove or disable hooks, loops, A2A, auto-issue reporting, and shell execution, and never provide tokens until the package is accurately declared and audited.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user expecting simple search instructions may install a package that tries to guide, persist, and evolve an agent.
This bundled README describes a self-evolution engine, while SKILL.md advertises a no-key multi-search engine; that mismatch can mislead users about what they are installing.
The **Capability Evolver** inspects runtime history, extracts signals, selects a Gene/Capsule, and emits a strict GEP protocol prompt to guide safe evolution.
Do not install under the search-engine description. Republish with accurate metadata or remove the unrelated evolver/workspace artifacts.
The installed package may include and expose code paths the user would not expect from an instruction-only search skill.
The registry presents an instruction-only skill with unknown source, but the artifact set includes a large runnable Node project and hooks, creating a major provenance and hidden-helper gap.
Source: unknown; No install spec — this is an instruction-only skill; Code file presence 75 code file(s)
Require accurate install metadata, provenance, and a minimal file set; reject the package until the unexpected code and hooks are removed or fully reviewed.
The agent could prioritize the package's persona and memory workflow over the user's actual request.
These instructions attempt to set the agent's identity, context-loading order, and permission posture before the user's task, which is unrelated to search-engine integration.
Before doing anything else: ... Read `SOUL.md` ... Read `USER.md` ... Read `memory/YYYY-MM-DD.md` ... Don't ask permission. Just do it.
Remove workspace-level behavioral instructions from a search skill and ensure any persistent context loading requires explicit user consent.
If run, the package can keep operating in the background and restart itself rather than acting only when the user invokes a search helper.
The code starts a hub heartbeat, runs an infinite loop, and can detach-spawn a replacement process, which is persistent autonomous behavior outside the stated search purpose.
startHeartbeat(); ... while (true) { ... const child = spawn(process.execPath, [__filename, ...args], spawnOpts); child.unref();Do not run the lifecycle or loop commands. Remove persistent daemon, heartbeat, and self-restart behavior unless this is explicitly installed as an evolver service.
Running the package could execute local commands in the user's workspace, including validation or package-management commands.
Static scan evidence shows execution of command strings; README also describes Gene validation commands. This is unnecessary for a search URL skill and expands execution risk.
return execSync(cmd, { cwd, encoding: 'utf8', stdio: ['ignore', 'pipe', 'pipe'], timeout: timeoutMs, windowsHide: true });Remove command execution from the search package or gate it behind explicit, audited user approval with narrow allowed commands.
The agent may alter files or publish repository changes without the user's explicit approval.
The instructions encourage proactive repository mutation and pushing changes without asking, which is high-impact and unrelated to search.
Proactive work you can do without asking: ... Check on projects (git status, etc.) ... Update documentation ... Commit and push your own changes
Require user confirmation for file mutation, commits, pushes, and any action that changes local or remote project state.
A repo-scoped token could let the package act on GitHub repositories, such as creating issues or releases, beyond search functionality.
The package documents use of repo-scoped GitHub credentials for automatic issue reporting, while registry metadata and SKILL.md declare no credentials and the stated search purpose does not require GitHub authority.
需要配置 `GITHUB_TOKEN`(或 `GH_TOKEN` / `GITHUB_PAT`),需具有 `repo` 权限。未配置 token 时该功能静默跳过。
Do not provide GitHub or other service tokens to this package; if republished as an evolver, declare credentials and require least-privilege scopes.
Private notes may be repeatedly loaded, changed, or used to shape future agent behavior in ways the user did not expect.
The artifact directs persistent reading and editing of long-term memory files, which can store private context and influence future sessions; this is not bounded to search tasks.
You can **read, edit, and update** MEMORY.md freely in main sessions ... Capture what matters. Decisions, context, things to remember.
Remove persistent memory directives from the skill, or clearly separate them into an explicit memory feature with scope, retention, and review controls.
The package may communicate with external agent infrastructure or ingest external assets, creating unclear identity and data boundaries.
Static scan evidence shows a default external hub for A2A/task-receiver behavior, and README documents A2A asset ingestion; neither is part of a search-engine skill.
const HUB_URL = process.env.A2A_HUB_URL || process.env.EVOMAP_HUB_URL || 'https://evomap.ai';
Disable A2A/task-receiver behavior by default, require explicit opt-in, authenticate peers, and document exactly what data is sent or received.