Skillv1.0.0

ClawScan security

Agent Self-Evolve · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 21, 2026, 6:40 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's stated purpose (self-improvement) matches its files, but its runtime instructions give the agent broad authority to read and autonomously modify workspace files and skills (execute code fixes / create skills) which is risky without explicit human approval or sandboxing.
Guidance: This skill can autonomously modify code and other skill files based on entries in memory/skill-improvements.md. Before installing or enabling it: 1) Run it in a safe/test workspace first (do not enable on production workspaces). 2) Require manual approval for any queued item that changes code or skills — e.g., change prompts to explicitly ask the user and block automatic execution. 3) Keep backups / use version control (git) so changes can be reviewed and reverted. 4) Scope file permissions so the agent can only modify a narrow, intended directory. 5) Prefer running daily/weekly jobs in an isolated sessionTarget and avoid 'urgent' automatic execution unless you trust the agent and audit logs. 6) If you plan to let it create or modify skills, require PRs or human review as part of the workflow. These mitigations reduce the risk of unintended or unauthorized changes.

Review Dimensions

Purpose & Capability: noteThe name/description (self-evolve) matches the included materials: a setup script plus prompts and guidance to capture lessons and apply improvements. Creating local memory files and scheduling evolution cycles is coherent with the purpose. However, the declared capability to 'execute queued improvements' (code fixes, skill updates, create skills) is more powerful than a simple logging/analytics tool and should be justified/controlled.
Instruction Scope: concernSKILL.md and the cron prompt explicitly instruct the agent to read many workspace files and to implement 'code fixes' and 'skill improvements' from a queue. That grants the agent broad, write-capable access to arbitrary files (skill files, code, MEMORY.md, etc.) and discretion to change behavior. The prompts also recommend creating new skills for repetitive workflows. There is no enforced user-approval step for most modifications (other than a single note about notifying the user before modifying SOUL.md), which is scope creep relative to a benign logger/summary tool.
Install Mechanism: okNo network installs or third-party downloads; the only code is an included setup shell script that creates local files under a memory/ directory. The script operates only on the local workspace and does not fetch remote content or create binaries, so installation risk is low.
Credentials: okThe skill requests no environment variables, credentials, or config paths. No secrets are requested or required by the included materials.
Persistence & Privilege: noteThe skill instructs users to set up cron jobs that will trigger agent turns daily/weekly and to add real-time hooks which may cause the agent to act automatically. 'always: false' and normal autonomous invocation are used, but the external cron scheduling plus instructions to automatically apply queued code changes increases persistence and the potential blast radius of erroneous or malicious modifications.