Self Evolving Skill
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: self-evolving-skill Version: 1.0.2 The skill bundle implements a 'Self-Evolving Skill' system with Python core logic and TypeScript/Node.js wrappers, communicating via a local MCP server. The installation script and configuration are standard for OpenClaw skills, creating symlinks and directories within expected paths. While the `mcporter_adapter.py` sets an `action_code` using an f-string `f"# {name}"`, the prepended '#' makes it a comment, preventing direct code injection even if the `skill_engine.py` (not provided) were to execute it. There is no evidence of data exfiltration, unauthorized remote execution, persistence mechanisms beyond standard skill operation, or prompt injection attempts against the AI agent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could persistently reinforce or change this skill's learned behavior based on arbitrary tool calls, which may affect later tasks.
The exposed MCP tool lets an agent execute a skill and trigger learning, with success/value defaults, but the schema does not show approval, scope limits, rollback, or safeguards for behavior-changing operations.
skill_execute: { name: 'skill_execute', description: '执行Skill并触发学习' ... success ... default: true ... value ... default: 1.0 }Require explicit user approval for create/execute/save/load operations, constrain allowed skill IDs and contexts, and provide auditable rollback or reset controls.
Incorrect or adversarial task context could be reused later as learned experience, changing future behavior in ways the user may not expect.
The skill explicitly caches learned patterns and automatically persists/loads them, but the artifacts do not clearly bound what task context is stored, how long it is retained, or how poisoned learned state is prevented from influencing future tasks.
- **经验回放**: 缓存已学模式,降低重复触发 - **持久化**: 经验自动保存/加载
Treat stored learning state as untrusted, keep it in a scoped workspace, document retention and reset behavior, and require review before reusing learned state across tasks.
A user may end up running unreviewed Python code or a differently packaged version to make the skill work.
The runtime is designed to execute core/mcp_server.py if present, and other files import core modules, but the provided manifest does not include the core directory. That leaves the main Python behavior outside the reviewed artifact set.
const serverPath = join(dirname(__dirname), 'core', 'mcp_server.py'); ... this.process = spawn('python3', [serverPath, '--port', String(this.port), '--storage', this.storageDir]Publish and review the full core implementation with the skill, pin the expected package contents, and avoid executing components that are not included in the reviewed release.
Local Python code may run when the engine initializes.
The skill performs local process execution to bridge to a Python MCP server. This is disclosed and purpose-aligned, but users should notice that installing/enabling it may run local code.
spawn('python3', [serverPath, '--port', String(this.port), '--storage', this.storageDir], { stdio: ['pipe', 'pipe', 'pipe'] })Only enable it from a trusted package, review the Python server code, and run it in a least-privilege workspace.
Task context and embeddings may be passed to a local server process; if that server is exposed or replaced, tool calls could cross an unintended boundary.
The TypeScript wrapper sends tool calls to a localhost MCP-style HTTP endpoint, but no authentication or caller-boundary mechanism is shown in the reviewed client code.
hostname: 'localhost', port: this.port, path: '/tools', method: 'POST'
Bind the server to localhost only, add caller validation where possible, and avoid sending sensitive context unless the full server implementation is trusted.