Meta-Harness Evolver
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is a self-running agent-improvement loop that can read credential-bearing configs, persist and evolve agent behavior files, spawn sub-agents, and post summaries to Discord without clear human approval boundaries.
Install only if you are comfortable with an automated agent-evolution loop touching OpenClaw harness files. Before running it, remove secrets from TOOLS.md, disable nightly cron until reviewed, add sandboxing and code-enforced path limits, require human approval before accepting candidates or posting to Discord, and regularly inspect ~/hoss-evolution/ for sensitive logs.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Sensitive account or infrastructure details could be copied into the evolution workspace or indirectly exposed through logs or summaries.
The skill's own harness spec says one of the files it reads and evolves can contain credentials and infrastructure access details. The artifacts restrict changing credential values but do not clearly restrict copying, logging, summarizing, or otherwise exposing them.
TOOLS.md — What it controls: All tool configs, credentials (API keys, tokens), host IPs, SSH details... Do NOT change: Actual credential values, API tokens, passwords.
Do not run this against a TOOLS.md containing real secrets unless secrets are removed or redacted; add explicit secret-handling rules and metadata declarations.
The agent's behavior can drift over time while the user is not present, and generated changes may accumulate into future runs.
The skill is designed as an autonomous recurring loop that changes persistent agent harness candidates and publishes results without a clear per-run human approval gate.
Each night at 3 AM CDT, this skill: ... Proposes a targeted harness modification via a coding-agent sub-agent ... Logs the candidate harness + scores + execution traces ... Posts a summary report to #research Discord channel
Run this only in manual or dry-run mode until a human approval step is required before accepting candidates, updating the best harness, or posting externally.
A sub-agent could make broader filesystem or harness changes than intended if the prompt constraints fail or if prior candidate content influences it.
The main loop spawns a coding sub-agent to perform filesystem-based proposal work, while the main safety boundaries are prompt instructions such as not touching files outside the harness spec.
result = sessions_spawn(task=proposer_task, label=f"harness-proposer-{agent_session_id}", runtime="subagent", mode="run", run_timeout_seconds=300)Enforce file path allowlists in code, validate exact diffs before accepting them, and require approval for edits to TOOLS.md, AGENTS.md, MEMORY.md, or other control files.
A flawed or malicious-looking prior candidate could influence later harness changes, and private details could remain in long-lived evolution logs.
The skill intentionally stores and reuses generated candidates and reasoning traces as future context, creating a persistent feedback channel that can carry bad instructions, poisoned reasoning, or sensitive details forward.
Proposer reads ALL prior candidates' source + traces ... exposes full history (~10M tokens possible) via filesystem
Treat prior candidates and traces as untrusted input; add sanitization, retention limits, secret scanning, and a review step before reusing traces.
Private harness details or sensitive reasoning could be posted to Discord if they appear in the proposer trace.
The script sends generated proposer reasoning and change summaries to a hardcoded Discord channel, but the artifacts do not show redaction or approval before posting.
reasoning = get_proposer_reasoning(candidate_dir) ... ["openclaw", "message", "--channel", "discord", "--target", DISCORD_CHANNEL_ID, "--message", message]
Require user approval before posting, redact secrets and private workspace details, and make the Discord target configurable and clearly declared.