Auto Skill Evolver
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a disclosed self-modifying skill, but it deserves careful review because it can run local commands and persistently rewrite skills based on logs or chat-driven approval flows.
Install only if you intentionally want a skill that can evolve and rewrite other skills. Use a sandbox or test skill first, keep interactive review enabled, require exact proposal hashes for approval, inspect diffs before applying, and avoid feeding it untrusted traces or broad local commands.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A broad or ambiguous chat request could route to a skill-changing action, potentially applying or managing proposals for the wrong skill.
Natural-language keywords can be mapped to an approval action, and an omitted target defaults to the evolver skill itself. For a workflow that rewrites skill files, this makes approval scope and target selection too implicit.
elif any(k in lower for k in approve_keywords_en):
action = "approve"
...
if not skill_ref and action in ("propose", "status", "approve"):
skill_ref = "auto-skill-evolver"Require an explicit skill path and proposal hash for approvals, avoid defaulting approvals to the current skill, and keep interactive review enabled.
Malicious or accidental content in logs or feedback could become part of a persistent skill instruction and affect later tasks.
Trace and feedback text are used as context for generating persistent skill updates. If logs contain adversarial or misleading instructions, they can influence future agent behavior through the rewritten skill.
Evaluate: The execution trace and user feedback are captured. Optimize: A local OpenClaw sub-agent is spawned to analyze the trace and optimize the skill file. Rewrite: The sub-agent writes updates using atomic replace
Treat traces and feedback as untrusted input, review full diffs before applying, prefer exact hash approval, and avoid using logs from untrusted sources.
Commands supplied to the training loop can modify files or systems if the user provides a powerful command.
The training loop executes a user-supplied local command. It disables shell execution and rejects shell operators, so this is purpose-aligned, but it still gives the workflow broad local execution power.
result = subprocess.run(args, shell=False, check=True, capture_output=True, text=True)
Only run trusted, narrowly scoped commands, preferably in a sandbox or test workspace.
The optimization sub-agent may operate with the privileges of the user's configured OpenClaw environment.
The skill relies on the user's existing local OpenClaw configuration. That is expected for this integration, but it may use whatever account permissions the local agent already has.
No external API key required (uses your local OpenClaw agent configuration).
Use a least-privileged OpenClaw configuration and avoid running this against production or sensitive workspaces without review.
Users have less registry-level assurance about where the runnable helper code and required local CLI come from.
The registry metadata gives limited provenance and does not declare required binaries, while the skill includes executable Python scripts and documents an OpenClaw CLI dependency.
Source: unknown Homepage: none Required binaries (all must exist): none No install spec — this is an instruction-only skill.
Verify the package source and local OpenClaw CLI installation before running the skill.