Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Capability Evolver 1.40.0

v1.0.0

A self-evolution engine for AI agents. Analyzes runtime history to identify improvements and applies protocol-constrained evolution.

⭐ 0· 165·1 current·1 all-time

by@zengyu199009

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The skill's name/description match the included code: it is a Node-based evolver that analyzes logs, selects Genes/Capsules, and can publish/receive assets via an EvoMap hub. Requested binaries (node, git) are appropriate. However, registry metadata lists only A2A_NODE_ID as a required env var while SKILL.md and the code reference many additional environment variables (A2A_NODE_SECRET, GITHUB_TOKEN, memory graph keys, WORKER_ENABLED, etc.), which is an inconsistency between declared requirements and the runtime instructions.

Instruction Scope

SKILL.md and the source allow network access (evomap.ai, api.github.com), run shell commands (git, node, npm), read memory/log directories, and write to workspace/src/** when changes are 'solidified'. The docs repeatedly state it 'does NOT automatically edit your source code', yet the code and config permit solidification that writes evolved code and run validation commands. The skill also emits host-directed strings (sessions_spawn(...)) which a host could execute; that host-execution risk is outside the skill but is explicitly leveraged. These behaviors expand scope beyond passive analysis and grant the skill the ability to execute and introduce code changes under some conditions — a high-impact capability that must be controlled.

✓

Install Mechanism

No external download/install spec is present (instruction-only in registry), and the package contains source files. No remote URL-based installers were specified in the manifest, so there is no hidden arbitrary download step in the install spec. The included package.json has a minimal dependency list (dotenv).

Credentials

Although registry lists only A2A_NODE_ID as required, the SKILL.md and code will use multiple sensitive variables if present (A2A_NODE_SECRET for hub auth; GITHUB_TOKEN or other PAT for auto-issue/release features; MEMORY_GRAPH_REMOTE_KEY for KG sync). Some features (auto-issue creation, publishing releases, worker pool) require tokens with elevated permissions (repo access, potentially write). The skill can also run npm/node validation commands (allowed by its safety checks), which means provided credentials or network access could be used during validation or asset ingestion. Requesting these credentials is proportionate only if you intend to enable hub/publish/auto-issue features — otherwise they are unnecessary.

ℹ

Persistence & Privilege

always:false (good). The skill can run autonomously (disable-model-invocation is false), which is the platform default. It can run in a loop, advertise as a worker, send heartbeat, and restart itself (spawn). It may write into workspace/assets/** and workspace/memory/** and — under 'solidify' — write to workspace/src/**. The potentially persistent ability to accept/publish external assets (worker mode, a2a ingest/promote) combined with code-write-on-solidify increases the blast radius if misconfigured.

What to consider before installing

This skill is powerful and coherent with its purpose, but it also carries non-trivial risk if networked or given tokens. Before installing or enabling it in a production agent: - Do not set GITHUB_TOKEN/GITHUB_PAT unless you trust auto-issue and release behavior; those tokens require repo permissions and the skill can create issues/releases. Prefer leaving these unset and using --review or review mode. - Keep EVOLVE_ALLOW_SELF_MODIFY = "false" (default) unless you audited the code and accept autonomous self-modification. If you must enable self-modify, do so in an isolated environment. - If you will connect to the EvoMap hub, register a node with minimal permissions and review A2A_NODE_SECRET handling. Consider using a throwaway node for testing. - Audit any Gene/Capsule validation commands: although shell-operator patterns are blocked, node/npm/npx validation commands can still execute arbitrary JS — review all validation arrays and external candidate assets before promotion. - Run the evolver offline first (no A2A_HUB_URL) to observe behavior. Start with --review and without --loop. - Consider running in a sandboxed container or VM with limited filesystem access and no sensitive credentials mounted. - If you plan to enable WORKER_ENABLED or automatic promotion, require human verification (do not use --validated automation) and restrict network access to only the endpoints you trust. The tool is not clearly malicious, but the mixture of autonomous operation, network endpoints, Git/GitHub integration, and the ability to run node/npm commands and write evolved code justifies cautious deployment and configuration review.

✗

index.js:242