安全决策报告
capability-evolver-zc
The skill has extensive undeclared shell execution, undeclared external network calls to evomap.ai, and stores hardcoded credentials in test files — a significant doc-to-code mismatch across filesystem, shell, and network resources.
最直接的威胁证据
为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 5 项声明之外的能力或越权行为。
阻止
隐藏执行与外联
提取到 5 个高危 IOC 或外联信号。
通过
攻击链与高危发现
没有形成明确的恶意路径。
复核
依赖与供应链卫生
发现 2 项需要关注的依赖或供应链线索。
风险分是怎么被拉高的
Undeclared shell execution +20
SKILL.md declares no shell access, but execSync is used for git diff/status, process enumeration (ps/pgrep/tasklist), df, clawhub update, and INTEGRATION_STATUS_CMD — completely undeclared
Undeclared external network calls +15
SKILL.md setup section mentions node registration but A2A_HUB_URL network calls (heartbeat every 6min, fetch, publish, report, review) are not declared as capabilities
Hardcoded API credentials in test file +5
test/sanitize.test.js contains 5 hardcoded API keys (OpenAI sk-, GitHub ghp_/gho_, AWS AKIAIOSFODNN7EXAMPLE) — test artifact but poor security hygiene
Dangerous shell command in test corpus +5
test/skillDistiller.test.js:210 contains 'rm -rf /' as a validation-filter test case; filtered by allow-list but represents a dangerous corpus entry
最关键的证据
中危
Undeclared shell command execution throughout codebase
SKILL.md declares no shell access, yet execSync is used extensively: git diff/status/reset/checkout operations, process enumeration (ps, pgrep, tasklist), filesystem df, clawhub update, and INTEGRATION_STATUS_CMD dynamic execution. These capabilities are completely absent from the SKILL.md capability declaration section.
src/evolve.js:1 Add a 'Declared Shell Commands' section to SKILL.md listing: git, pgrep/ps/tasklist, clawhub, INTEGRATION_STATUS_CMD. Alternatively, add shell:NONE declaration and remove execSync dependencies.
中危
Undeclared external network communications to evomap.ai
The skill connects to evomap.ai (via A2A_HUB_URL) for: heartbeat every 6 minutes (sendHeartbeat), hub search (hubSearch), asset publishing (httpTransportSend), task fetching, hub review submission, and hello registration. None of these network operations are declared in SKILL.md.
src/gep/a2aProtocol.js:1 Declare network:WRITE in SKILL.md with endpoints: evomap.ai/a2a/* (heartbeat, fetch, publish, report, decision, revoke). Mention data published includes sanitized Gene+Capsule bundles.
中危
Environment fingerprinting sent to external hub
captureEnvFingerprint() in envFingerprint.js collects: device_id (computed from ~/.evomap/device-id), hostname (hashed), node version, platform, arch, OS release, cwd (hashed), and container status. This is embedded in every Capsule and EvolutionEvent, and published to the hub.
src/gep/envFingerprint.js:1 Document in SKILL.md that environment fingerprints (hashed identifiers) are collected and published to the hub. Consider using a privacy-preserving fingerprint that doesn't include cwd paths.
中危
Session log reading from agent home directory
The evolver reads session logs from ~/.openclaw/agents/${AGENT_NAME}/sessions/*.jsonl, which may contain sensitive conversation data, tool results, and credentials passed as arguments. While the skill filters some sensitive content, raw session data is parsed and used in evolution reasoning.
src/evolve.js:1 Document in SKILL.md that session logs from ~/.openclaw/agents/ are read. Add sanitization note explaining that credentials in session logs are redacted before use in prompts.
中危
Dynamic command execution via INTEGRATION_STATUS_CMD env var
When INTEGRATION_STATUS_CMD is set as an environment variable, execSync executes its value as a shell command. This is an indirect RCE vector if an attacker can set this environment variable — the evolver will execute arbitrary commands and include the output in the health report.
src/evolve.js:1 Either remove INTEGRATION_STATUS_CMD dynamic execution, or document it prominently in SKILL.md as an allowed arbitrary command execution vector.
中危
Validation command allow-list has narrow coverage — dangerous commands present in test corpus
The validation command filter in validateSynthesizedGene() and isValidationCommandAllowed() only allows 'node ', 'npm ', 'npx ' prefixes and blocks shell operators. However, test/skillDistiller.test.js:210 includes 'rm -rf /' as a test input for this filter, confirming that dangerous commands ARE part of the input corpus. While the filter correctly blocks it, the presence of such commands in distillation inputs is alarming.
test/skillDistiller.test.js:210 Add 'rm -rf' and other destructive patterns to the deny-list in addition to the current allow-list prefix approach.
低危
Hardcoded API credentials in test file
test/sanitize.test.js contains 5 hardcoded API key patterns: OpenAI sk- key, GitHub ghp_ and gho_ tokens, AWS AKIAIOSFODNN7EXAMPLE, and others. These are used as test inputs for the redactString function. While they are test artifacts (not production credentials), storing real-looking credentials in source code is poor security hygiene.
test/sanitize.test.js:10 Use synthetic/fictional credentials that don't match real patterns, or generate them dynamically in tests.
低危
Node secret stored in plaintext on filesystem
A2A_NODE_SECRET is persisted to ~/.evomap/node_secret with mode 0o600. While the permission is restrictive, the secret is stored in plaintext on disk and used as an HMAC key for signing published assets.
src/gep/a2aProtocol.js:1 Consider using OS keychain (e.g., keytar) for node secret storage instead of plaintext files.
还有 1 项发现未展开显示
声明能力 vs 实际能力
文件系统 阻止
声明 NONE
→ 推断 WRITE
src/gep/solidify.js:execSync calls git reset/hard, git restore, git clean; index.js --review mode calls git checkout; src/evolve.js writes to workspace via LLM prompts 命令执行 阻止
声明 NONE
→ 推断 WRITE
src/evolve.js:execSync for git/ps/pgrep/tasklist/df/clawhub; src/gep/solidify.js:runCmd execSync for git; src/gep/a2aProtocol.js:httpTransportSend uses Node.js fetch API for network; All undeclared in SKILL.md 网络访问 阻止
声明 NONE
→ 推断 WRITE
src/gep/a2aProtocol.js:sendHeartbeat POST to A2A_HUB_URL every 6min; hubSearch (src/gep/hubSearch.js) fetches from hub; httpTransportSend publishes sanitized assets; All external network calls undeclared in SKILL.md 环境变量 阻止
声明 NONE
→ 推断 READ
src/gep/envFingerprint.js captures hostname hash, device_id, platform, node_version, cwd hash; src/gep/a2aProtocol.js reads A2A_NODE_ID, A2A_HUB_URL, A2A_NODE_SECRET, AGENT_NAME 技能调用 阻止
声明 NONE
→ 推断 READ
src/evolve.js reads session logs from ~/.openclaw/agents/*/sessions/; src/gep/bridge.js renders prompt artifacts for LLM to execute arbitrary code 可疑产物与外联
严重 API 密钥
sk-abcdefghijklmnopqrstuvwxyz test/sanitize.test.js:10
严重 API 密钥
ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx test/sanitize.test.js:19
严重 API 密钥
gho_abcdefghijklmnopqrstuvwxyz1234567890 test/sanitize.test.js:21
严重 API 密钥
AKIAIOSFODNN7EXAMPLE test/sanitize.test.js:29
严重 危险命令
rm -rf / test/skillDistiller.test.js:210
中危 外部 URL
https://evomap.ai README.md:5
中危 外部 URL
https://evomap.ai/wiki README.md:5
中危 外部 URL
https://api.star-history.com/svg?repos=autogame-17/evolver&type=Date README.md:255
中危 外部 URL
https://star-history.com/#autogame-17/evolver&Date README.md:255
中危 外部 URL
https://mowen.cn README.md:270
中危 外部 URL
https://evomap.ai/claim/ SKILL.md:45
中危 外部 URL
https://www.clawhub.ai scripts/publish_public.js:410
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| dotenv | ^16.4.7 | npm | 否 | Version pinned |
| all-dependencies-pinned | true | npm | 否 | All dependencies in package.json have pinned versions |
文件构成
76 个文件 · 16419 行
JavaScript 68 个文件 · 15543 行Markdown 4 个文件 · 655 行JSON 4 个文件 · 221 行
需关注文件 · 5
src/gep/solidify.js EVOLVE_ALLOW_SELF_MODIFY enables evolver self-modification
src/evolve.js Undeclared shell command execution throughout codebase · Session log reading from agent home directory · Dynamic command execution via INTEGRATION_STATUS_CMD env var
src/gep/a2aProtocol.js Undeclared external network communications to evomap.ai · Node secret stored in plaintext on filesystem
scripts/publish_public.js https://www.clawhub.ai
test/skillDistiller.test.js Validation command allow-list has narrow coverage — dangerous commands present in test corpus · rm -rf /
其他文件 · memoryGraph.js · prompt.js · skillDistiller.js · signals.js · index.js · taskReceiver.js +1
安全亮点
Comprehensive sanitization pipeline (sanitize.js) redacts API keys, tokens, private keys, paths, emails, and .env references before hub publishing
Ethics enforcement in checkConstraints() blocks strategies attempting safety bypass, covert monitoring, social engineering, or transparency violations
Blast radius hard caps (60 files / 20000 lines) cannot be overridden by genes — system-level safety guard
Critical path protection prevents evolver from modifying protected skill directories (feishu-*, clawhub, git-sync, evolver)
Validation command allow-list restricts execution to 'node ', 'npm ', 'npx ' prefixes with shell operator blocking
Canary check (runCanaryCheck) verifies index.js loads in an isolated child process before solidify commits changes
Optional LLM review gate (EVOLVER_LLM_REVIEW) can reject changes before commit
Auto-rollback on failure (EVOLVER_ROLLBACK_MODE=stash/hard) prevents accumulation of bad changes
Dormant hypothesis system preserves partial state during backoff to prevent data loss
Repair loop circuit breaker prevents infinite repair-retry cycles
Memory graph integrity check throws if causal memory cannot be written, refusing to evolve blindly
Dependency scan: no known-vulnerable packages detected, all npm dependencies are pinned