AI Harness Engineering
AdvisoryAudited by VirusTotal on Apr 1, 2026.
Overview
Type: OpenClaw Skill Name: ai-harness-engineering Version: 1.0.0 The skill implements an automated 'self-evolution' mechanism that records user corrections and 'promotes' them into the agent's core configuration files (e.g., SOUL.md, AGENTS.md) via promote.py. While the stated purpose is self-improvement, the ability to automatically modify the agent's behavioral constraints and workspace files—combined with scheduled cron tasks in SKILL.md—presents a high risk for persistent indirect prompt injection. A malicious user could provide a 'correction' that, once promoted, permanently compromises the agent's security posture or personality. No evidence of intentional data exfiltration or remote code execution was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or malicious correction could be saved and reused later, affecting future answers even when the user did not ask for that context.
Saved ledger content is automatically reintroduced into future session context and answer generation, so incorrect or adversarially phrased feedback could persistently influence the agent.
错误摘要注入:session启动时自动读取错误台账摘要,注入到上下文 ... 回答前自检:每次回答前自动查询错误台账
Require explicit user approval before injecting ledger content into context, quote/sanitize saved user text, and provide a clear way to review, edit, or disable stored lessons.
The skill can modify core behavior or memory files, making logged lessons persistent rules for the agent.
The script appends learned details into global workspace files that can shape agent behavior, not just into the skill's own ledger.
workspace = Path.home() / ".qclaw" / "workspace" ... entry += f"**详情**: {details}\n\n" ... target_path.write_text(existing, encoding='utf-8')Make promotion a manual or dry-run-first workflow, require confirmation before writing SOUL.md/AGENTS.md/TOOLS.md/MEMORY.md, and keep backups or rollback support.
Background tasks may keep changing persistent agent state after the original conversation has ended.
The skill declares always-on behavior and a recurring task that can automatically promote stored learnings without a direct user request at that time.
always: true ... auto_promote: schedule: "every 2h" ... task: "python3 {SKILL_DIR}/scripts/promote.py --action auto_promote"Disable automatic cron promotion by default, make scheduled jobs opt-in, and notify the user before any background task changes workspace files.