ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

evolving skill creator

v1.0.0

能力创建者 — 创建具有自我学习、持续进化能力的领域专家智能体 Skill。 通过 /evo-skill-creator 命令唤醒,也可通过自然语言唤醒。 支持以下命令(命令式或自然语言均可触发): - go:创建新角色、帮我做一个智能体、创建一个XX角色 - learn:学习一下、研究一下XX知识、深入学习 -...

0· 54·0 current·0 all-time
byWu Yao@wuyao721
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (an 'evo-skill-creator' that builds self‑evolving agents) aligns with the SKILL.md content: it describes creating child agents, registering them, running learn/scan/review/go flows and maintaining memory and reports. Requiring access to memory files, agents-registry, and output/report files is coherent for this purpose. No unrelated environment variables or external credentials are required by the manifest.
!
Instruction Scope
The SKILL.md explicitly instructs the agent to read many local files (scene-index.md, memory/private/README.md, memory/private/backlog.md, memory/private/agents-registry.md) and to write persistent logs/reports. It also prescribes automating periodic runs (cron/launchd/systemd/GitHub Actions) and gives examples using tool flags such as --allowedTools and the dangerous --dangerously-skip-permissions. While reading its own memory is expected, references to 'private/' paths and suggestions to skip permission checks and auto-schedule autonomous runs broaden scope and risk unexpected data access or privileged actions if the user enables them.
Install Mechanism
This is instruction-only (no install spec, no code files to execute). That lowers supply-chain risk because nothing is downloaded or installed automatically. The skill does instruct using external CLIs (claude, opencode) but does not require them via the package manifest.
Credentials
The registry metadata requests no environment variables or credentials, which is proportionate. However SKILL.md references external executors and environment signals (examples mention CLAUDE_CODE_TASK_LIST_ID, --allowedTools flags etc.) that are not declared; the skill may prompt the user to configure executor-specific credentials later. Absence of declared secrets is good, but the instructions can lead users to grant broader tool/credential access during setup — so watch for later requests for executor tokens or dangerous permission flags.
!
Persistence & Privilege
always:false and default autonomous invocation are normal, but the skill explicitly encourages persistent automation (cron, launchd, GitHub Actions, tick scripts) and recommends parameterizing allowed tools or skipping permission checks. Combined with the skill's ability to create/upgrade many child agents and to register/iterate them (review all, bulk upgrades), this can increase blast radius if scheduled runs are enabled or dangerous flags are used. The manifest itself does not enforce persistence, but the guidance would lead a less technical user to grant ongoing privileges.
What to consider before installing
This skill is functionally coherent: it really does what it says (assist creating and evolving other Skills). But pay attention before enabling automation or granting directory/tool permissions. Do not enable cron/launchd/systemd/GitHub Actions tasks until you: (1) inspect memory/private/backlog.md and agents-registry.md to see what data and child agents exist; (2) choose Option A (keep memory/output inside the skill directory) for isolation if you want to limit access; (3) refuse use of flags like --dangerously-skip-permissions and avoid pre‑authorizing broad tool sets — instead explicitly approve each tool/permission; (4) require manual confirmation for bulk operations (e.g., 'review all' or automated upgrades); and (5) prefer least-privilege: restrict any scheduled runs to a controlled sandbox and cap external executor credentials/budgets. If you want lower risk, keep the skill manual-only (do not schedule ticks) and review all created SKILL.md and output files before applying changes. If you can provide evidence that scheduled tasks will run in a sandbox and that any 'self-modification' or upgrade steps require explicit human approval, my confidence that the skill is safe would increase.

Like a lobster shell, security has layers — review code before you run it.

latestvk972kj6e1c0d0egwgnghq2q4xx84bjxj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments