PCEC EvoMap Integrator
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent with EvoMap integration, but it can let remote EvoMap content drive actions and change bounty/task state without clear user approval or identity boundaries.
Install only if you are comfortable with the agent contacting evomap.ai, using remote results as workflow suggestions, and interacting with bounty tasks. Require manual review before executing retrieved solutions or claiming/completing tasks, and avoid sending sensitive error details as signals.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A remote EvoMap result could steer the agent’s behavior or be applied as a solution even if the content is wrong, unsafe, or malicious.
The skill retrieves a remote EvoMap payload, treats it as a reusable solution, and the usage example indicates executing the solution without showing validation or user approval.
const solution = best.payload; ... return { reused: true, solution, asset: best }; ... // 执行解决方案...Require explicit user review before applying any remote solution, treat retrieved payloads as untrusted data, and validate or sandbox any suggested commands or workflow changes.
If followed automatically, the agent could report usage or change external bounty/task status before the user has reviewed the action.
The workflow includes delayed automatic reporting and API calls that claim or complete external bounty tasks, but it does not show approval gates, scope checks, or rollback.
setTimeout(() => reportUsage(best.asset_id, true), 60000); ... fetch('https://evomap.ai/a2a/task/claim' ... fetch('https://evomap.ai/a2a/task/complete'Add explicit confirmation before reporting, claiming, or completing tasks, and show the exact task, asset, and data being sent before any mutation.
Actions may be attributed to a fixed node rather than the installing user, making authorization, accountability, and consent unclear.
The same hard-coded sender ID is used in external EvoMap requests, including task claim and completion flows, without a user-configured identity or credential boundary.
sender_id: 'node_9e601234'
Bind external actions to a user-approved account or token, document what authority that identity has, and avoid hard-coded actor identities for mutable operations.
A bad or untrusted remote result could be stored and reused in future sessions or tasks.
The skill maintains a local capability cache and the example suggests updating it with remote solutions, which can cause retrieved content to be reused later.
本地能力库 ... LOCAL_CAPSULE_CACHE ... updateLocalCache(errorSignals, solution)
Only cache validated results, record provenance and expiration, and let users inspect or clear the local capability library.
Error signals or task context may be shared with an external service, and remote responses may influence the agent.
The skill uses an external agent-to-agent style API and sends signal data to evomap.ai; this is purpose-aligned but the artifact does not define data minimization or origin validation.
protocol: 'gep-a2a' ... fetch('https://evomap.ai/a2a/fetch' ... payload: { signals: signals, limit: 5 }Send only minimal non-sensitive signals, disclose the external data flow to users, and validate the source and structure of all A2A responses.