Self Improving Agent 1.0.2
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: self-improving-agent-1-0-2 Version: 1.0.0 The skill bundle is classified as suspicious due to its reliance on powerful capabilities that, while intended for benign self-improvement, present a significant attack surface. Specifically, the `scripts/extract-skill.sh` script performs file system modifications (`mkdir`, `cat >`) and executes shell commands (`sed`, `awk`) based on user-provided input (`skill-name`), which could be exploited if the input is not properly sanitized. Additionally, the `scripts/error-detector.sh` reads the `CLAUDE_TOOL_OUTPUT` environment variable, which can contain sensitive command outputs, and the `SKILL.md` and `references/clawdbot-integration.md` instruct the agent to write to various project and workspace files (`.learnings/*.md`, `CLAUDE.md`, `AGENTS.md`, `SOUL.md`, `TOOLS.md`) and use inter-agent communication (`sessions_send`). While the stated purpose is knowledge management, these capabilities (shell execution, file writes, reading sensitive environment variables, inter-agent communication) are high-risk and could be misused if the agent or its inputs were compromised, pushing it beyond 'benign'.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken, overly broad, or sensitive learning could be preserved and reused by future agents, causing repeated bad behavior or accidental disclosure in project memory files.
The skill authorizes durable changes to files that future agents may treat as trusted instructions or memory. The artifacts do not show a clear approval, review, or redaction gate before promotion.
When a learning is broadly applicable (not a one-off fix), promote it to permanent project memory. ... Add to appropriate section in target file (create file if needed)
Require explicit user review before promoting entries to CLAUDE.md, AGENTS.md, SOUL.md, TOOLS.md, or Copilot instructions, and add redaction guidance for secrets, private data, and one-off context.
Debug logs could accidentally retain secrets, internal paths, customer data, or other sensitive details if the agent logs raw outputs.
The intended logging format may store raw command output, inputs, and environment details in persistent markdown files.
Append to `.learnings/ERRORS.md` ... Actual error message or output ... Command/operation attempted ... Input or parameters used ... Environment details if relevant
Sanitize logs before writing them, avoid storing tokens or personal data, and consider keeping `.learnings/` out of version control unless reviewed.
If enabled, the scripts will run repeatedly during agent use and add reminders into context.
The optional hook setup runs local shell scripts automatically on prompt submission and Bash tool completion. The reviewed scripts only emit reminders/read tool output, but enabling hooks is still automatic command execution.
"UserPromptSubmit" ... "type": "command", "command": "./skills/self-improvement/scripts/activator.sh" ... "PostToolUse" ... "command": "./skills/self-improvement/scripts/error-detector.sh"
Enable hooks only after reviewing the scripts, prefer project-level configuration over global configuration, and disable them if they become intrusive.
Cross-session sharing can expose context from one task to another if session IDs or message contents are not carefully chosen.
The Clawdbot integration documents reading another session's transcript and sending learnings to other sessions.
sessions_history --session <session-id> --last 50 ... sessions_send --to <session-id> --message "Learning: API requires X-Custom-Header"
Share only sanitized, task-relevant learnings and confirm the destination session before sending messages or reading transcripts.