Skill Trust Decision
capability-evolver-zc
The skill has extensive undeclared shell execution, undeclared external network calls to evomap.ai, and stores hardcoded credentials in test files — a significant doc-to-code mismatch across filesystem, shell, and network resources.
Most direct threat evidence
Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
5 undeclared or violating capabilities were inferred.
Block
Hidden execution and egress
5 high-risk artifacts or egress signals were extracted.
Pass
Attack chain and severe findings
There is no explicit malicious chain in the report.
Review
Dependencies and supply chain hygiene
2 dependency or supply-chain issues need attention.
What drove the risk score up
Undeclared shell execution +20
SKILL.md declares no shell access, but execSync is used for git diff/status, process enumeration (ps/pgrep/tasklist), df, clawhub update, and INTEGRATION_STATUS_CMD — completely undeclared
Undeclared external network calls +15
SKILL.md setup section mentions node registration but A2A_HUB_URL network calls (heartbeat every 6min, fetch, publish, report, review) are not declared as capabilities
Hardcoded API credentials in test file +5
test/sanitize.test.js contains 5 hardcoded API keys (OpenAI sk-, GitHub ghp_/gho_, AWS AKIAIOSFODNN7EXAMPLE) — test artifact but poor security hygiene
Dangerous shell command in test corpus +5
test/skillDistiller.test.js:210 contains 'rm -rf /' as a validation-filter test case; filtered by allow-list but represents a dangerous corpus entry
Most important evidence
Medium
Undeclared shell command execution throughout codebase
SKILL.md declares no shell access, yet execSync is used extensively: git diff/status/reset/checkout operations, process enumeration (ps, pgrep, tasklist), filesystem df, clawhub update, and INTEGRATION_STATUS_CMD dynamic execution. These capabilities are completely absent from the SKILL.md capability declaration section.
src/evolve.js:1 Add a 'Declared Shell Commands' section to SKILL.md listing: git, pgrep/ps/tasklist, clawhub, INTEGRATION_STATUS_CMD. Alternatively, add shell:NONE declaration and remove execSync dependencies.
Medium
Undeclared external network communications to evomap.ai
The skill connects to evomap.ai (via A2A_HUB_URL) for: heartbeat every 6 minutes (sendHeartbeat), hub search (hubSearch), asset publishing (httpTransportSend), task fetching, hub review submission, and hello registration. None of these network operations are declared in SKILL.md.
src/gep/a2aProtocol.js:1 Declare network:WRITE in SKILL.md with endpoints: evomap.ai/a2a/* (heartbeat, fetch, publish, report, decision, revoke). Mention data published includes sanitized Gene+Capsule bundles.
Medium
Environment fingerprinting sent to external hub
captureEnvFingerprint() in envFingerprint.js collects: device_id (computed from ~/.evomap/device-id), hostname (hashed), node version, platform, arch, OS release, cwd (hashed), and container status. This is embedded in every Capsule and EvolutionEvent, and published to the hub.
src/gep/envFingerprint.js:1 Document in SKILL.md that environment fingerprints (hashed identifiers) are collected and published to the hub. Consider using a privacy-preserving fingerprint that doesn't include cwd paths.
Medium
Session log reading from agent home directory
The evolver reads session logs from ~/.openclaw/agents/${AGENT_NAME}/sessions/*.jsonl, which may contain sensitive conversation data, tool results, and credentials passed as arguments. While the skill filters some sensitive content, raw session data is parsed and used in evolution reasoning.
src/evolve.js:1 Document in SKILL.md that session logs from ~/.openclaw/agents/ are read. Add sanitization note explaining that credentials in session logs are redacted before use in prompts.
Medium
Dynamic command execution via INTEGRATION_STATUS_CMD env var
When INTEGRATION_STATUS_CMD is set as an environment variable, execSync executes its value as a shell command. This is an indirect RCE vector if an attacker can set this environment variable — the evolver will execute arbitrary commands and include the output in the health report.
src/evolve.js:1 Either remove INTEGRATION_STATUS_CMD dynamic execution, or document it prominently in SKILL.md as an allowed arbitrary command execution vector.
Medium
Validation command allow-list has narrow coverage — dangerous commands present in test corpus
The validation command filter in validateSynthesizedGene() and isValidationCommandAllowed() only allows 'node ', 'npm ', 'npx ' prefixes and blocks shell operators. However, test/skillDistiller.test.js:210 includes 'rm -rf /' as a test input for this filter, confirming that dangerous commands ARE part of the input corpus. While the filter correctly blocks it, the presence of such commands in distillation inputs is alarming.
test/skillDistiller.test.js:210 Add 'rm -rf' and other destructive patterns to the deny-list in addition to the current allow-list prefix approach.
Low
Hardcoded API credentials in test file
test/sanitize.test.js contains 5 hardcoded API key patterns: OpenAI sk- key, GitHub ghp_ and gho_ tokens, AWS AKIAIOSFODNN7EXAMPLE, and others. These are used as test inputs for the redactString function. While they are test artifacts (not production credentials), storing real-looking credentials in source code is poor security hygiene.
test/sanitize.test.js:10 Use synthetic/fictional credentials that don't match real patterns, or generate them dynamically in tests.
Low
Node secret stored in plaintext on filesystem
A2A_NODE_SECRET is persisted to ~/.evomap/node_secret with mode 0o600. While the permission is restrictive, the secret is stored in plaintext on disk and used as an HMAC key for signing published assets.
src/gep/a2aProtocol.js:1 Consider using OS keychain (e.g., keytar) for node secret storage instead of plaintext files.
1 more findings are not expanded here
Declared capability vs actual capability
Filesystem Block
Declared NONE
→ Inferred WRITE
src/gep/solidify.js:execSync calls git reset/hard, git restore, git clean; index.js --review mode calls git checkout; src/evolve.js writes to workspace via LLM prompts Shell Block
Declared NONE
→ Inferred WRITE
src/evolve.js:execSync for git/ps/pgrep/tasklist/df/clawhub; src/gep/solidify.js:runCmd execSync for git; src/gep/a2aProtocol.js:httpTransportSend uses Node.js fetch API for network; All undeclared in SKILL.md Network Block
Declared NONE
→ Inferred WRITE
src/gep/a2aProtocol.js:sendHeartbeat POST to A2A_HUB_URL every 6min; hubSearch (src/gep/hubSearch.js) fetches from hub; httpTransportSend publishes sanitized assets; All external network calls undeclared in SKILL.md Environment Block
Declared NONE
→ Inferred READ
src/gep/envFingerprint.js captures hostname hash, device_id, platform, node_version, cwd hash; src/gep/a2aProtocol.js reads A2A_NODE_ID, A2A_HUB_URL, A2A_NODE_SECRET, AGENT_NAME Skill Invoke Block
Declared NONE
→ Inferred READ
src/evolve.js reads session logs from ~/.openclaw/agents/*/sessions/; src/gep/bridge.js renders prompt artifacts for LLM to execute arbitrary code Suspicious artifacts and egress
Critical API Key
sk-abcdefghijklmnopqrstuvwxyz test/sanitize.test.js:10
Critical API Key
ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx test/sanitize.test.js:19
Critical API Key
gho_abcdefghijklmnopqrstuvwxyz1234567890 test/sanitize.test.js:21
Critical API Key
AKIAIOSFODNN7EXAMPLE test/sanitize.test.js:29
Critical Dangerous Command
rm -rf / test/skillDistiller.test.js:210
Medium External URL
https://evomap.ai README.md:5
Medium External URL
https://evomap.ai/wiki README.md:5
Medium External URL
https://api.star-history.com/svg?repos=autogame-17/evolver&type=Date README.md:255
Medium External URL
https://star-history.com/#autogame-17/evolver&Date README.md:255
Medium External URL
https://mowen.cn README.md:270
Medium External URL
https://evomap.ai/claim/ SKILL.md:45
Medium External URL
https://www.clawhub.ai scripts/publish_public.js:410
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| dotenv | ^16.4.7 | npm | No | Version pinned |
| all-dependencies-pinned | true | npm | No | All dependencies in package.json have pinned versions |
File composition
76 files · 16419 lines
JavaScript 68 files · 15543 linesMarkdown 4 files · 655 linesJSON 4 files · 221 lines
Files of concern · 5
src/gep/solidify.js EVOLVE_ALLOW_SELF_MODIFY enables evolver self-modification
src/evolve.js Undeclared shell command execution throughout codebase · Session log reading from agent home directory · Dynamic command execution via INTEGRATION_STATUS_CMD env var
src/gep/a2aProtocol.js Undeclared external network communications to evomap.ai · Node secret stored in plaintext on filesystem
scripts/publish_public.js https://www.clawhub.ai
test/skillDistiller.test.js Validation command allow-list has narrow coverage — dangerous commands present in test corpus · rm -rf /
Other files · memoryGraph.js · prompt.js · skillDistiller.js · signals.js · index.js · taskReceiver.js +1
Security positives
Comprehensive sanitization pipeline (sanitize.js) redacts API keys, tokens, private keys, paths, emails, and .env references before hub publishing
Ethics enforcement in checkConstraints() blocks strategies attempting safety bypass, covert monitoring, social engineering, or transparency violations
Blast radius hard caps (60 files / 20000 lines) cannot be overridden by genes — system-level safety guard
Critical path protection prevents evolver from modifying protected skill directories (feishu-*, clawhub, git-sync, evolver)
Validation command allow-list restricts execution to 'node ', 'npm ', 'npx ' prefixes with shell operator blocking
Canary check (runCanaryCheck) verifies index.js loads in an isolated child process before solidify commits changes
Optional LLM review gate (EVOLVER_LLM_REVIEW) can reject changes before commit
Auto-rollback on failure (EVOLVER_ROLLBACK_MODE=stash/hard) prevents accumulation of bad changes
Dormant hypothesis system preserves partial state during backoff to prevent data loss
Repair loop circuit breaker prevents infinite repair-retry cycles
Memory graph integrity check throws if causal memory cannot be written, refusing to evolve blindly
Dependency scan: no known-vulnerable packages detected, all npm dependencies are pinned