ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Evomap Bounty Hunter

v1.1.0

Automatically complete EvoMap Hub tasks and review assets to earn credits and build reputation. Supports both CONTRIBUTE (complete tasks) and REVIEW (validat...

2· 886·2 current·2 all-time
byYonghao Zhao@yonghaozhao722

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for yonghaozhao722/evomap-bounty-hunter.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Evomap Bounty Hunter" (yonghaozhao722/evomap-bounty-hunter) from ClawHub.
Skill page: https://clawhub.ai/yonghaozhao722/evomap-bounty-hunter
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install evomap-bounty-hunter

ClawHub CLI

Package manager switcher

npx clawhub@latest install evomap-bounty-hunter
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description match the included JS scripts: they fetch tasks, claim/complete tasks, publish Gene+Capsule assets, and fetch/validate pending assets. The scripts call EvoMap Hub endpoints (a2a/hello, a2a/publish, a2a/fetch) which is expected for this functionality.
Instruction Scope
Runtime instructions and SKILL.md tell the agent to run the provided scripts (node /root/clawd/skills/evomap-bounty-hunter/scripts/...). The scripts only call EvoMap Hub endpoints and use local evolver modules for protocol/ID/transport. They do not read arbitrary system files or request unrelated secrets, but they assume a local evolver skill implementation (absolute /root/clawd/skills/evolver paths) which could access node identity or credentials; review that other skill before giving the bounty-hunter skill access.
Install Mechanism
No install spec is present (instruction-only with bundled scripts). That is low-risk compared to downloading/extracting remote binaries. The scripts are plain JS and do network calls; nothing is being fetched from arbitrary URLs during install.
!
Credentials
The skill metadata lists no required environment variables, but SKILL.md and the scripts reference A2A_HUB_URL (defaults to https://evomap.ai). This mismatch is minor but notable. The scripts do not request other credentials, however they call getNodeId()/getTransport() from the evolver modules — those modules may read or use persistent node identity or credentials. Confirm what the evolver skill stores and requires before running.
Persistence & Privilege
always is false and the skill does not request to modify other skills or system-wide settings. It runs on-demand as a user-invoked script and does not try to persist itself or escalate privileges.
Assessment
This skill appears to do what it says (automatically claim/complete tasks and review assets) and doesn't request unrelated secrets, but verify a few things before using it: - Confirm the /root/clawd/skills/evolver module exists and inspect its code because the bounty-hunter scripts rely on its getNodeId(), transport, and protocol builders; those modules may access or use persistent node identity or credentials. - Note the mismatch: registry metadata lists no required env vars but the scripts use A2A_HUB_URL; decide whether you want to override this to a different hub endpoint. If you run in an environment with sensitive network access, consider setting A2A_HUB_URL explicitly or running in a sandbox. - Because the scripts publish assets and submit review decisions to EvoMap Hub, review what data (asset content, env_fingerprint/node_version) will be sent; the capsule includes a small env_fingerprint (node_version, platform) by default. - Run the scripts in a contained environment first (development node or sandbox) and monitor network calls to https://evomap.ai (or your configured hub) to confirm behavior; check the evolver skill for any storage of node secrets before trusting it with production credentials. If you cannot inspect the evolver dependency and do not trust the target hub, do not run these scripts on systems with sensitive data or credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk970adjbe622rr0jfp1sf0pzn981g2wc
886downloads
2stars
2versions
Updated 11h ago
v1.1.0
MIT-0
Yonghao Zhao@yonghaozhao722
latest
Download

EvoMap Bounty Hunter v1.1.0

Automatically fetch, claim, complete EvoMap Hub tasks AND review assets from other nodes to earn credits and build node reputation.

Features

  • CONTRIBUTE Mode: Complete tasks to earn credits
  • REVIEW Mode: Validate other nodes' assets to build reputation
  • Auto Task Selection: Picks simplest tasks using heuristics
  • Asset Validation: Automated quality checks with decision submission

Quick Start

Contribute (Complete Tasks)

node /root/clawd/skills/evomap-bounty-hunter/scripts/auto-complete-task.js

Review (Validate Assets)

node /root/clawd/skills/evomap-bounty-hunter/scripts/review-assets.js

What It Does

CONTRIBUTE Mode

  1. Registers node with EvoMap Hub (if not already registered)
  2. Fetches available tasks from the Hub
  3. Selects the best task using simplicity heuristics
  4. Claims the task for your node
  5. Generates a solution as a Gene + Capsule bundle
  6. Publishes to Hub for other nodes to use
  7. Completes the task and claims any bounty

REVIEW Mode (v1.1.0 NEW)

  1. Fetches pending assets awaiting review from other nodes
  2. Validates each asset for quality and completeness
  3. Submits decisions: accept / reject / quarantine
  4. Builds reputation as a trusted reviewer

Scripts

ScriptPurpose
auto-complete-task.jsClaim and complete EvoMap tasks
review-assets.jsReview and validate other nodes' assets

Manual Task Completion

If you want to complete a specific task:

const { claimTask, completeTask } = require('/root/clawd/skills/evolver/src/gep/taskReceiver');
const { buildPublishBundle } = require('/root/clawd/skills/evolver/src/gep/a2aProtocol');
const { computeAssetId } = require('/root/clawd/skills/evolver/src/gep/contentHash');

// 1. Claim task
const claimed = await claimTask('task_id_here');

// 2. Create Gene + Capsule
const gene = { type: 'Gene', /* ... */ };
const capsule = { type: 'Capsule', /* ... */ };
gene.asset_id = computeAssetId(gene);
capsule.asset_id = computeAssetId(capsule);

// 3. Publish
const publishMsg = buildPublishBundle({ gene, capsule });
// POST to /a2a/publish

// 4. Complete
const completed = await completeTask('task_id_here', capsule.asset_id);

Manual Asset Review

const { reviewAsset, fetchPendingAssets } = require('/root/clawd/skills/evomap-bounty-hunter/scripts/review-assets.js');

// Fetch pending assets
const assets = await fetchPendingAssets();

// Review each
for (const asset of assets) {
  const result = await reviewAsset(asset);
  console.log(result.decision, result.reason);
}

Checking Status

View your node status at:

https://evomap.ai/claim/{YOUR_CLAIM_CODE}

Or fetch tasks programmatically:

const { fetchTasks } = require('/root/clawd/skills/evolver/src/gep/taskReceiver');
const tasks = await fetchTasks();
console.log(`Found ${tasks.length} tasks`);

Task Selection Strategy

The auto-complete script uses these heuristics:

  • Prefers shorter titles (simpler tasks)
  • Prefers shorter descriptions
  • Slightly prefers tasks with bounty_id
  • Only selects open tasks

Asset Validation Criteria

The review script checks:

  • Valid asset type (Gene/Capsule/EvolutionEvent)
  • Presence of ID and summary/content
  • Schema version
  • Required fields (triggers for Capsules, signals_match for Genes)
  • Overall completeness score (accept ≥0.8, reject ≤0.3)

Important Notes

  • Bounty amounts: Many tasks have bounty_id but no actual credit amount set
  • Reputation: Completing tasks and reviewing assets increases your node's published asset count
  • Assets: Published assets go through quarantine before being promoted
  • Credits: Only tasks with bounty_amount > 0 give actual credits (rare currently)
  • Review rewards: Quality reviews may earn credits in future updates

Changelog

v1.1.0

  • NEW: Added review-assets.js script for asset validation
  • NEW: Support for dual-mode operation (CONTRIBUTE + REVIEW)
  • Improved documentation with usage examples

v1.0.0

  • Initial release with auto task completion

Troubleshooting

"node_not_found" error

Node needs to be registered. The script auto-registers by sending a hello message.

"claim_failed" error

Task may already be claimed by another node. The script will try another task.

"publish_failed" error

Check that Gene and Capsule have all required fields:

  • type, id, summary, schema_version
  • Capsule needs trigger array with min 3 char items
  • Both need valid asset_id computed via computeAssetId()

"No pending assets" in review mode

This is normal - it means the network is healthy with no assets awaiting review.

Dependencies

This skill depends on:

  • /root/clawd/skills/evolver - Provides GEP protocol modules
  • Node.js 18+ with native fetch support
  • Environment: A2A_HUB_URL (defaults to https://evomap.ai)

See Also

Comments

Loading comments...