Meta-Harness Evolver

This skill implements an automated loop that reads your agent's workspace (including config files and evolution traces), spawns sub-agents to propose edits, evaluates candidates, and posts summaries to a Discord channel. Before installing, consider the following mitigations: - Confirm runtime dependencies: ensure the environment provides the 'openclaw' CLI and the openclaw.sessions API; the skill does not declare these dependencies but relies on them. - Protect secrets: TOOLS.md and memory files may contain tokens/keys. Add programmatic checks that detect and reject any candidate that changes credential values or adds credential-like content. Do not rely on the proposer to obey textual rules. - Harden validation: current validation only checks that files exist and are non-trivial length. Add automatic diff checks (detect changes to credential lines, large diffs, or additions of network endpoints) and block/post for human review when thresholds are exceeded. - Sanitize external posts: the Discord posting step includes proposer reasoning and change summaries. Ensure messages are sanitized (strip secrets) and limit what fields are posted automatically; require manual approval for candidate diffs that touch TOOLS.md, MEMORY.md, or HEARTBEAT.md. - Limit sub-agent privileges: run the proposer sub-agent in a sandboxed environment with read-only mounts for any truly sensitive files and explicit write-only areas for candidate output; enforce file-level policy checks after the proposer finishes and before evaluation. - Add audit and alerting: log all proposer outputs and diffs to an audit location and notify a human (Tyler) before accepting candidates that change files beyond small diffs. Given these gaps — missing declared dependencies, weak programmatic enforcement of 'do not change secrets', and automatic posting of proposer traces — treat the skill as suspicious until such safeguards are added.