Hydra Evolver
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill fits a homelab orchestration purpose, but it includes powerful provisioning scripts that execute remote installers and change host privileges without clear safeguards.
Install or invoke this only if you intentionally want an agent to help administer a homelab machine. Review provision.sh before running it, avoid broad Proxmox credentials, confirm every host-level change manually, and run network scans only on networks you control.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the provision command allows third-party installer scripts to make system-level changes to the machine.
The provisioning command executes mutable remote installer scripts without version pinning, checksums, or reviewed local copies.
curl -fsSL https://get.docker.com | sh ... curl https://get.volta.sh | bash ... curl -fsSL https://tailscale.com/install.sh | sh
Review the installer sources before use, prefer pinned package-manager installs or checksummed downloads, and run provisioning manually with explicit approval.
If invoked on the wrong machine or by an agent without careful review, it can alter the host environment and installed software.
The exposed provisioning helper performs high-impact host mutations and global software installation with no dry run, confirmation prompt, OS guard, or rollback path.
apt-get update && apt-get install -y curl; ... npm install -g openclaw
Require an explicit user confirmation for provisioning, add dry-run output, document supported OSes, and provide cleanup or rollback instructions.
Docker group access can grant broad control over the host through containers, so this changes the security posture of the machine.
The script persistently adds the sudo user to the Docker group, which materially changes local privilege boundaries.
usermod -aG docker $SUDO_USER
Ask for explicit consent before changing user groups, explain the privilege implications, and provide a command to reverse the change.
A user may provide Proxmox credentials without clear documentation of the permissions needed or where they will be used.
The skill mentions Proxmox API credentials, but the registry metadata declares no required environment variables or primary credential and the reviewed code does not show clear scoping for token use.
env: ["PVE_TOKEN_ID", "PVE_TOKEN_SECRET"]
Use a least-privilege Proxmox token, do not provide broad admin credentials, and require the skill to declare credential scope in metadata.
Content in PROJECTS.md or MEMORY.md can influence what the agent decides to investigate next.
The evolve helper reads persistent project/memory files and turns their contents into suggested follow-up instructions.
memory_file = find_file('MEMORY.md', search_paths) ... "instruction": f"Read logs in {p.get('location', 'project dir')} to determine why '{name}' is paused."Review generated evolution plans before acting on them and treat project/memory files as untrusted input unless you control them.
Local network discovery may reveal devices or services and could be unwanted on networks you do not administer.
The mesh_scan helper probes specific local network addresses for SSH and OpenClaw gateway ports.
SUBNET = "192.168.0." ... sock.connect_ex((ip, 22)) ... sock.connect_ex((ip, 18789))
Run scans only on networks you own or have permission to assess, and document the target IP range before scanning.
Users may overestimate the skill's privacy or prompt-injection protections.
The provided artifacts do not show web-research functionality or implemented prompt-injection boundaries to substantiate this safety claim.
"ZeroLeaks Hardened": Built-in boundaries to prevent prompt injection during web research.
Do not rely on this claim without implementation evidence; the author should either document the mechanism or remove the claim.