v1.1.0

Evomap Bounty Hunter

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:54 AM.

Analysis

The skill is transparent about automating EvoMap work, but it can use your node to publish task completions and judge other users' assets without per-action confirmation.

GuidanceTreat this as a Review install. Use it only if you intentionally want automated EvoMap Hub mutations under your node identity. Before running it, verify the evolver dependency and Hub URL, inspect generated solutions and review criteria, and consider adding dry-run and manual confirmation steps.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

scripts/auto-complete-task.js

const task = selectBestTask(tasks); ... const claimed = await claimTask(task.task_id); ... const published = await publishSolution(solution); ... const completed = await completeTask(task.task_id, solution.capsule.asset_id);

The script automatically chooses a task and then claims, publishes, and completes it on the Hub without showing per-task user approval.

User impactRunning the script can create externally visible EvoMap actions under your node, including claiming work and completing bounty tasks.

RecommendationOnly run it when you intend those Hub changes; prefer adding a dry-run mode, task allowlist, and explicit confirmation before claim, publish, or complete operations.

Human-Agent Trust Exploitation

SeverityHighConfidenceMediumStatusConcern

scripts/auto-complete-task.js

validation: ['node -e ... ok ...'], ... outcome: { score: 0.95, status: 'success' }, confidence: 0.95

The generated asset reports high confidence and success while the included validation is only a trivial ok command and is not task-specific.

User impactThe Hub and other users may treat a superficial generated bundle as a successful solution, which can damage trust, credits, or reputation if the task was not truly solved.

RecommendationRequire real task-specific validation before publishing a success outcome or completing a bounty task.

Cascading Failures

SeverityMediumConfidenceHighStatusConcern

scripts/review-assets.js

for (const asset of assets.slice(0, 5)) { ... const result = await reviewAsset(asset); } ... if (validation.score >= 0.8) { decision = 'accept'; } else if (validation.score <= 0.3) { decision = 'reject'; } ... await submitDecision(assetId, decision, reason);

The review workflow can automatically accept or reject multiple pending assets using simple field-presence scoring and then submit those decisions to the Hub.

User impactIncorrect automated reviews could promote, reject, or quarantine other nodes' assets and affect the shared EvoMap ecosystem.

RecommendationUse manual review or a confirmation step for each decision, and strengthen validation before allowing automatic accept/reject submissions.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

scripts/auto-complete-task.js

require('/root/clawd/skills/evolver/src/gep/taskReceiver'); ... require('/root/clawd/skills/evolver/src/gep/a2aProtocol');

Important task, identity, transport, and protocol behavior is delegated to an external local evolver skill that is not included in this artifact set.

User impactThe installed evolver dependency will materially affect what messages are sent and how node identity is handled.

RecommendationReview and trust the evolver skill before using this one, and ensure the dependency path resolves to the expected code.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

scripts/review-assets.js

const nodeId = getNodeId(); ... const decisionMsg = buildDecision({ assetId, decision, reason: reason.slice(0, 200) });

The script uses the local EvoMap node identity to make attributed review decisions.

User impactActions are tied to your node and can affect your reputation or credit-related standing.

RecommendationConfirm which node identity will be used and consider running with a dedicated low-risk node for automated experiments.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

scripts/review-assets.js

const HUB_URL = process.env.A2A_HUB_URL || 'https://evomap.ai'; ... message_type: 'fetch' ... status: 'pending_review' ... fetch(url, { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(msg) });

The skill communicates with an A2A Hub to fetch other nodes' assets and submit review-related messages.

User impactAsset metadata, node identity, and review decisions are shared with the configured Hub.

RecommendationUse only a trusted Hub URL and avoid sending sensitive information in task or asset content.