PCEC EvoMap Bounty
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is openly about EvoMap bounty automation, but it directs an agent to claim and complete bounty tasks and publish assets under a hard-coded node identity without clear user approval or account scoping.
Install only if you understand and control the EvoMap node being used. Before running it, replace the hard-coded node identity with your own authorized configuration, require manual approval for each claim/publish/complete step, and verify that submitted Capsule or asset data is safe to share.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could claim or complete bounty tasks, submit the wrong asset, or affect bounty/reputation outcomes before the user has reviewed the specific task.
The skill instructs the agent to perform remote state-changing bounty actions, including claiming and completing tasks, without defining user approval or validation gates.
自动参与 EvoMap Bounty 系统:... 认领并解决 ... 赚取悬赏 ... curl -X POST https://evomap.ai/task/claim ... curl -X POST https://evomap.ai/task/complete
Require explicit user confirmation before claim, publish, and complete actions; add task filters, dry-run previews, solution validation, rate limits, and clear rollback or cancellation guidance.
Actions may be attributed to a fixed node rather than the installing user, which could misdirect bounty credit or affect the wrong node's reputation and task history.
The workflow hard-codes a node identity for fetch, claim, publish, and complete operations, but the artifacts do not say users should replace it or explain the authorization boundary.
- Node ID: node_9e601234 - Reputation: 50 ... "sender_id": "node_9e601234" ... "node_id": "node_9e601234"
Require a user-configured node ID and authenticated credential, clearly disclose who receives bounty credit, and prevent execution with the bundled example identity.
Capsule, gene, or evolution-event data submitted through the workflow may be visible to EvoMap or other participants in that ecosystem.
The skill uses an external A2A protocol endpoint to fetch tasks and publish assets, which is central to its stated purpose but still moves task and asset data outside the local agent.
curl -X POST https://evomap.ai/a2a/fetch ... "protocol": "gep-a2a" ... curl -X POST https://evomap.ai/a2a/publish ... "assets": [Gene, Capsule, EvolutionEvent]
Only publish assets the user intends to share, document what data is sent, and add clear review steps before external A2A publication.