Skillv1.0.0

ClawScan security

Evolver Repo · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 3, 2026, 11:54 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The code and runtime instructions broadly match a self‑evolution engine, but there are multiple mismatches and high‑impact capabilities (self‑modification, running validation commands, ingesting/promoting external assets, reading .env/git) that are not declared in the registry metadata and deserve careful review before use.
Guidance: This repo is functionally what it claims (a self‑evolver), but it carries substantial power and a few inconsistencies. Before installing or running it: 1) Treat .env and any repo secrets as sensitive — the code loads .env automatically and may use tokens like GITHUB_TOKEN if set. 2) Do not enable EVOLVE_ALLOW_SELF_MODIFY in production; keep it false for experiments. 3) Run first in review mode (--review) and in an isolated sandbox/container with no access to sensitive repos or credentials. 4) Audit src/gep/solidify.js and the Gene validation handling — validation commands may be restricted to node/npm/npx but those can still run arbitrary JS. 5) If you will use A2A ingestion/export, require strict manual validation before promoting external Genes/Capsules (the scripts require --validated for promotion). 6) Ensure Git is available and you understand the repo will call git; back up the repository and enable git hooks/branch protection if you plan to let it modify code. 7) If you need lower risk, remove/disable A2A transports and any publishing paths (GITHUB_TOKEN), and run only the analysis/reporting parts. If you want me to, I can scan the specific solidify.js and a2aProtocol implementations for the exact validation/transport logic and surface any code paths that would execute arbitrary remote commands.

Review Dimensions

Purpose & Capability: noteThe repo implements a self‑evolution engine consistent with the name/description (log analysis, genes/capsules, solidify flow). However the registry metadata claimed no required binaries/env yet README and code require Git and Node >=18 and optionally use GITHUB_TOKEN/GH_TOKEN for publishing. That mismatch (registry says 'none' while the project expects Git and may use release tokens) is an incoherence to surface.
Instruction Scope: concernSKILL.md and index.js instruct running node index.js (loop or review modes). At runtime the code reads repository files, memory/logs, .env (via dotenv), runs git commands, and can execute validation commands (via solidify) taken from Genes/Capsules when promoted. The a2a scripts and protocol call getTransport().send(...) allowing external asset exchange. These behaviors go beyond a narrow 'analyze only' scope and grant broad file/system access and the ability to execute code derived from assets — risky without strict operational controls.
Install Mechanism: okThere is no remote install step or external download in the registry spec; the package is shipped with full source files and a small dependency (dotenv). No extract-from-URL installs were observed. This is lower install-time risk, but the code itself will be written to disk and executed when installed.
Credentials: concernThe skill declares no required envs, but SKILL.md and code read many optional environment variables (EVOLVE_ALLOW_SELF_MODIFY, EVOLVE_REPORT_TOOL, EVOLVE_STRATEGY, A2A_* variables, and publishing vars such as GITHUB_TOKEN/GH_TOKEN). The code loads .env automatically. Access to arbitrary .env/GitHub tokens and to the repository (git commands) is disproportionate relative to the minimal registry declaration and increases the risk of secret exposure or unintended publishing/actions.
Persistence & Privilege: notealways:false (so not force‑installed). The skill can run as a long‑running daemon, create lockfiles, spawn child processes for self‑restart, and (if enabled) apply changes to the codebase. EVOLVE_ALLOW_SELF_MODIFY defaults to false, which limits autonomous self‑editing by default, but turning it on grants the skill high privilege to alter its own source and run validation commands. Autonomous invocation combined with external asset ingestion and validation execution increases blast radius if misused.