ClawHub

Evolver Repo

Security checks across malware telemetry and agentic risk

Overview

The skill is a real self-evolution tool, but it also performs under-disclosed auto-updates, default Hub networking, persistent node identification, and externally influenced task handling.

Install only after reviewing and constraining it. Use review/dry-run modes, avoid --loop unless you want a background worker, disable or block network egress if you do not want EvoMap Hub contact, turn off auto-update in OpenClaw config before normal use, avoid setting command-bearing env vars such as INTEGRATION_STATUS_CMD, and run it first in a disposable git repo with no sensitive session history or credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (65)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises meaningful capabilities involving environment access and networking, but the manifest does not declare corresponding permissions. That creates a transparency and governance gap: operators cannot accurately assess what the skill may access or exfiltrate before enabling it. In a self-modifying, automated skill, undeclared env/network access is especially risky because it can read secrets and communicate externally without clear user awareness.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is narrow self-evolution from runtime history, but the detected behavior spans external networking, publishing, self-update, process control, git operations, fingerprinting, and cross-agent exchange. This mismatch undermines informed consent and makes the skill materially more dangerous than advertised, since users may invoke it expecting local improvement while it can interact with external systems and modify repositories or releases. In practice, description-behavior mismatches are a strong indicator of overbroad or insufficiently constrained agent behavior.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The documentation explicitly allows fully automated execution that can immediately write code and update memory, despite positioning the system as protocol-constrained and auditable. Autonomous code changes without mandatory review create a direct path to integrity loss, persistence of bad mutations, and accidental introduction of insecure logic. The danger is amplified because the skill is designed to analyze history and act on it, increasing the chance of broad, repeated changes from imperfect signals.

Context-Inappropriate Capability

Low
Confidence
77% confidence
Finding
Dynamic detection of other local skills and automatic behavior upgrades expands the trust boundary beyond the documented core function. This can cause unexpected privilege creep or tool substitution, especially if a local skill changes output channels or introduces unsafe side effects. While not inherently malicious, it weakens predictability and auditability in a self-modifying system.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The code can spawn a detached child copy of itself, unref it, and exit, effectively self-daemonizing and persisting beyond the initiating session. In an agent skill context, this materially increases risk because it enables long-running autonomous behavior, makes monitoring harder, and can be abused for persistence or uncontrolled background execution.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This script performs publication, tagging, remote pushes, and release creation against external services, which is materially outside the stated purpose of a self-evolution/runtime-analysis skill. Even if intended for maintenance, bundling release automation into the skill increases the chance that an agent with access to this code can modify public repositories or publish artifacts unexpectedly, creating a supply-chain and exfiltration risk.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code clones/pushes to remote repositories, creates tags, and creates GitHub Releases using either gh auth or API tokens from the environment. In an agent-executed context, this enables direct external side effects and potential unauthorized publication of code or artifacts, which is especially dangerous because the skill's declared purpose does not justify remote release operations.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
This function publishes artifacts to the external ClawHub registry and treats existing credentials/session state as sufficient authority. In an agent or plugin environment, that creates a supply-chain publication path unrelated to self-evolution analysis, allowing accidental or unauthorized distribution of artifacts under trusted package names.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill’s declared purpose is runtime-history analysis and protocol-constrained evolution, but it also performs autonomous package/skill updates by invoking external tooling and force-updating components. That materially expands its authority from analysis into software supply-chain modification, creating a path for unreviewed code changes, compromised upstream packages, or operational drift. In this context, the mismatch makes the behavior more dangerous because the agent is already self-modifying and can silently change its own execution environment.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code executes a shell command directly from the INTEGRATION_STATUS_CMD environment variable via execSync, which is arbitrary command execution if an attacker can influence environment configuration. Because this skill already runs with local file and process visibility, the command can be used to exfiltrate secrets, alter files, or install persistence. The skill context makes this more dangerous because environment variables are loaded from the repo .env and the agent is designed to operate autonomously.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill can force-update external skills/packages through the clawhub CLI without strong trust validation, version pinning, or user approval. This creates a supply-chain attack surface where upstream compromise, typosquatting, or repository tampering can result in arbitrary code being pulled into the agent’s environment. Given this is a self-evolution engine, autonomous update capability is especially risky because it can alter the very logic that governs future behavior.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This file implements outbound HTTP transport, hub registration, and recurring heartbeat behavior that materially expands the skill from local self-evolution logic into networked coordination and telemetry. In a self-modifying or capability-evolving system, undisclosed network communication increases the risk of remote influence, data exfiltration, and persistence beyond the user’s expected trust boundary.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The hello message includes an environment fingerprint and advertises it to peers or a hub, which exposes host-specific characteristics unrelated to the stated self-evolution purpose. This creates unnecessary device profiling and can help correlate activity across runs or systems, especially when combined with stable node identity.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code derives a stable node identifier from device/environment characteristics and persists it locally, enabling long-term tracking of the host across sessions. That persistence and derivation exceed the stated purpose and create a durable identity that can be used for correlation, telemetry, or remote reputation systems without user awareness.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This code derives a stable identifier from host- and container-level attributes such as /etc/machine-id, macOS IOPlatformUUID, container IDs, hostname, and MAC addresses, and even invokes a system utility on macOS to obtain that data. For a skill described as runtime-history-based capability evolution, this broad device fingerprinting exceeds what is obviously necessary and creates a persistent tracking primitive that can be used to correlate runs, hosts, or deployments beyond user expectations.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The module persists a stable identifier to ~/.evomap/device_id or a project-local .evomap_device_id file, creating durable state that survives restarts and potentially repository or workspace movement. In a self-evolving agent context, this enables long-term node tracking and writes hidden local state without that capability being clearly justified by the stated functionality, which raises privacy and transparency concerns.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This adapter can transmit memory-graph contents, including signals, observations, hypotheses, attempts, and external candidates, to a remote service when an environment variable enables the remote provider. That creates a real data exfiltration path that conflicts with the stated offline/local expectation and is especially sensitive here because the component belongs to a self-evolution engine that aggregates runtime history and internal decision data.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The prompt builder injects both an environment fingerprint and arbitrary EVOLVE_HINT text into the model context, expanding the agent's visibility into host/runtime details beyond what is needed for 'runtime history' analysis. In a self-modifying evolution engine, this materially increases the risk of sensitive system metadata disclosure and can help the model tailor unsafe mutations or exfiltration-oriented behavior.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The module is explicitly designed to turn runtime-derived context into outbound Hub questions, and those questions can include fragments from session transcripts and operational failures. That creates a data-exfiltration channel beyond a narrow self-evolution role, especially because user/session content is repurposed for external sharing without strong minimization, consent, or policy checks.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The generator mines session transcripts to extract lines such as unsupported requests, feature asks, and performance complaints, then embeds that context into questions intended for external bounty creation. Even if truncated, this can leak sensitive user intent, internal limitations, or proprietary workflow details to outside systems not necessary for core local evolution.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This file goes beyond local 'self-evolution' and performs outbound Hub publication and remote task-completion actions. Even if intended for ecosystem coordination, these network side effects can exfiltrate internal metadata, code-derived artifacts, failure details, or trigger remote state changes without being clearly justified by the declared capability.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The auto-publish path sends Gene/Capsule/Event bundles to an external Hub, including summaries, signals, environment data, and possibly diff-derived content. In a self-modifying system, publishing internal evolution artifacts externally increases data leakage and trust-boundary risk, especially when enabled by default via environment-driven behavior.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The code can mark remote Hub tasks complete based on local execution state, which changes external system state unrelated to purely local evolution. If misconfigured or abused, this can falsely acknowledge work, interfere with orchestration, or let local logic drive remote workflow transitions without strong authorization/context checks shown here.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This module expands the skill from a stated self-evolution engine into an external task marketplace client that fetches, prioritizes, claims, and completes Hub work. That scope expansion is security-relevant because it enables externally driven behavior and remote influence over the agent’s priorities, increasing attack surface and creating a path for untrusted task injection into the evolution loop.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Allowing fetch requests to piggyback proactive questions for Hub-created bounties gives the agent a mechanism to initiate external marketplace activity, not merely consume runtime history. In context, this broadens autonomy and can be abused to generate unsolicited external work items or leak internal interests/signals through question content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal