Self Evolving Skill
Security checks across malware telemetry and agentic risk
Overview
Review recommended: this self-learning skill is not clearly malicious, but it exposes persistent skill-evolution tools and references missing Python core code that was not available for review.
Install only if you are comfortable with a persistent self-learning skill that can alter its own skill state. Before enabling it, ask the publisher for the missing core Python files, confirm exactly where data is stored, disable auto-start unless needed, and avoid providing sensitive context until retention and deletion controls are documented.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The installed skill may fail, use an unexpected storage location, or require unreviewed missing Python code to perform its core functions.
The adapter imports core modules that are not included in the provided file manifest and defaults storage to a developer-specific absolute path, creating a provenance and configuration gap for the runtime that performs the advertised learning behavior.
from core.skill_schema import SelfEvolvingSkill, create_simple_policy ... "/Users/blitz/.openclaw/workspace/self-evolving-skill/storage"
Do not enable the skill until all referenced core files are included, dependencies and binaries are declared, storage paths are user-scoped, and the complete runtime can be reviewed.
An agent could change or persist skill behavior in ways the user did not explicitly review for each action.
The skill exposes agent-callable tools that create, execute, save, and load evolving skill state, but the artifacts do not show approval checks, scope limits, audit trails, or rollback controls for these mutations.
mcp:\n enabled: true\n tools:\n - name: skill_create\n - name: skill_execute\n description: 执行Skill并触发学习\n - name: skill_save\n - name: skill_load
Require explicit user confirmation for create/execute/save/load operations, restrict which skill state can be modified, and provide clear audit and rollback controls.
Private task details or poisoned context could be stored and reused to influence future agent behavior.
The skill is designed to learn from execution context and persist experience automatically, but the artifacts do not define filtering, retention, provenance, reset, or reuse boundaries for that stored context.
`skill_execute` | 执行并学习 | `skill_id`, `context`, `success`, `value` ... `经验回放`: 缓存已学模式 ... `持久化`: 经验自动保存/加载
Avoid sending sensitive context until the skill documents what is stored, where it is stored, how to clear it, and how persisted experiences are isolated and validated.
Installing or invoking the skill may run a local Python process if the referenced server exists.
The TypeScript wrapper starts a local Python process for the MCP server. This is expected for the stated architecture, but it is still local code execution and depends on the missing Python server file.
this.process = spawn('python3', [serverPath, '--port', String(this.port), '--storage', this.storageDir], { stdio: ['pipe', 'pipe', 'pipe'] });Verify the Python server source before enabling it and ensure it runs with least privilege and only on local, trusted interfaces.
The skill may have a long-running local service tied into the agent environment if configured as documented.
The documentation describes auto-starting a persistent MCP server through the agent configuration. This is consistent with the MCP design, but users should understand it can run beyond a single command.
# 或通过配置自动启动(已在mcp_servers.json中配置) ... "command": "/bin/bash" ... "source ~/.openclaw/skills/self-evolving-skill/venv/bin/activate && python3 ~/.openclaw/skills/self-evolving-skill/mcp_server.py --storage ..."
Document a clear enable/disable procedure, bind the server locally, and require user consent before auto-starting persistent services.