Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
six-dimension-evolution
v1.0.0Six-dimension evolution system for AI agents. Transform from reactive assistant to proactive partner with lessons tracking, success patterns, decision review...
⭐ 0· 82·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (agent self‑improvement) aligns with the actions the skill prescribes: creating LESSONS/SUCCESSES/DECISIONS/PREFERENCES/SKILL_STATS/KNOWLEDGE_GAPS and heartbeat files and then performing daily reviews. Creating and updating workspace files and logs is proportionate to the stated purpose. One mismatch: the SKILL.md explicitly instructs pushing complete reports via Feishu (飞书) but the skill declares no environment variables or credentials for an external push service.
Instruction Scope
The instructions mandate enumerating and reading session files, memory files, and many workspace/config files and then writing/patching HEARTBEAT.md and SKILL_STATS.md (installed timestamp). Those actions are within a self‑improvement system, but the skill also requires producing and '推送完整报告' (push full reports) externally without specifying how to authenticate or which endpoint — this creates a risk of leaking sensitive conversation data if the agent is configured to forward reports. The instructions also insist on modifying HEARTBEAT.md scheduling rules automatically, which changes agent behavior and scheduling without further checks beyond the initial prompt.
Install Mechanism
Instruction-only skill with no install spec and no code to download or execute; lowest install risk. It performs file operations (cp/mkdir) from the local templates directory to the user's workspace, which is expected for a template-based skill.
Credentials
The skill references external push (飞书 Interactive Card) and scheduling triggers but declares zero required environment variables and no credentials. If the skill expects to push to Feishu or other external systems, it should declare required tokens/URLs. Also it expects write access to multiple workspace/config files (HEARTBEAT.md, SKILL_STATS.md, config/heartbeat-state.json, memory/*.md), which is reasonable functionally but is a privilege the user should explicitly consent to.
Persistence & Privilege
The skill does not set always:true and is user-invocable only. However it instructs writing an 'installed' timestamp and modifying HEARTBEAT.md to add scheduled heartbeat tasks — that grants it persistent presence via workspace files and scheduled behavior. This is explainable for an evolution system but the user should be aware it modifies scheduling/config so future autonomous actions (daily heartbeats) may be triggered by those files.
What to consider before installing
This skill is a template-based 'agent self-improvement' system and will copy multiple files into your ~/.openclaw/workspace, write an installed timestamp, and add/modify HEARTBEAT.md to schedule daily heartbeats. Before installing: 1) Back up your workspace and HEARTBEAT.md; 2) Review the template files to confirm you’re comfortable with automated daily reads of memory/session files and automatic writes to SKILL_STATS.md, MEMORY.md, etc.; 3) Ask the skill author how report pushing is implemented — the SKILL.md mentions sending full reports via Feishu but provides no instructions or required credentials (this is an incoherence and a potential data‑exfiltration vector if misconfigured); 4) If you don’t want automatic scheduling or external pushes, decline activation or ask for a version that only provides templates without modifying HEARTBEAT.md or pushing reports; 5) If you install, monitor the first activation closely and verify what is sent externally and to which endpoints.Like a lobster shell, security has layers — review code before you run it.
latestvk975kh3ewbzgkx8xb9ghyczjwn84htr9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.