local-self-healing-machine-learning Security Report — Low Risk | ClawSafe

22 /100

local-self-healing-machine-learning

A fully local ML engine that learns from agent runtime history, detects errors via embeddings or regex, and autonomously evolves fix strategies with auditable GEP protocol.

A legitimate self-healing ML engine with minor documentation gaps: filesystem WRITE and shell execution are used for core functionality (git operations, code evolution, skill auto-heal) but are not explicitly declared in SKILL.md's capability section. Remote Ollama install via curl|bash is documented as an optional setup step. No actual malicious behavior observed.

Skill Namelocal-self-healing-machine-learning

Duration134.8s

Enginepi

✓

Safe to install

Add an explicit 'Declared Capabilities' section to SKILL.md listing filesystem:WRITE (for code evolution and skill auto-heal), shell:WRITE (for git/npm operations), and network:READ (localhost Ollama). Clarify that hardcoded test credentials in test/ are test fixtures for the sanitize module. Consider pinning dotenv version.

Findings 7 items

Severity	Finding	Location
Medium	Undeclared filesystem WRITE capability Doc Mismatch SKILL.md claims 'zero network calls' and no telemetry but does not declare filesystem WRITE operations. The skill actively writes new source code files (genes, capsules, evolution artifacts, skill stubs) and modifies existing files via the solidify pipeline and skill distiller. `fs.writeFileSync(path.join(skillPath, 'SKILL.md'), '# ' + skillName + '\n\n' + name + ' skill.\n');` → Add 'filesystem:WRITE' to declared capabilities in SKILL.md, specifically noting writes to memory/, assets/, and skills/ directories.	`src/gep/skillDistiller.js:89`
Medium	Undeclared shell:WRITE capability via execSync Doc Mismatch The skill uses execSync for git operations (rebase abort, merge abort, reset, fetch), npm install in skills directories, and system health checks (pgrep, ps aux, tasklist). These are not declared as capabilities. `execSync('git rebase --abort', { cwd: root, stdio: 'ignore' });` → Add 'shell:WRITE' to declared capabilities in SKILL.md, listing git and npm as documented operations.	`src/ops/self_repair.js:9`
Medium	Remote script execution via curl\|bash documented in SKILL.md Supply Chain SKILL.md line 43 instructs users to run 'curl -fsSL https://ollama.com/install.sh \| sh' to install Ollama. While this is documented, curl\|bash is a high-risk installation pattern. The Ollama install script executes remote code with elevated privileges. `curl -fsSL https://ollama.com/install.sh \| sh` → Replace with platform-specific installation instructions (e.g., 'brew install ollama' on macOS, or manual download) to avoid remote script execution.	`SKILL.md:43`
Low	Unpinned dotenv dependency Supply Chain package.json uses dotenv ^16.4.7 without an exact version. A major version bump in dotenv (v17+) could introduce breaking changes or security issues. `"dotenv": "^16.4.7"` → Pin to exact version: "dotenv": "16.4.7". Alternatively use a lockfile approach.	`package.json:19`
Low	Skill auto-heal runs npm install in skills directory Priv Escalation skills_monitor.js auto-runs 'npm install --production' in any skill directory that has dependencies but no node_modules. If a malicious or compromised skill package exists in the skills directory, this could install it. `execSync('npm install --production --no-audit --no-fund', { cwd: skillPath, stdio: 'ignore', timeout: 60000 });` → Add npm install to the validation command stripper (like skillDistiller.js does) to prevent arbitrary package installation. Consider verifying package.json integrity before running npm install.	`src/ops/skills_monitor.js:67`
Info	Reads session logs from ~/.openclaw/agents/ Sensitive Access The evolver reads session log files from ~/.openclaw/agents/<AGENT_NAME>/sessions/. These logs may contain sensitive information including user queries, tool results, and potentially credentials. The skill reads the last 20KB of up to 6 recent sessions. const AGENT_SESSIONS_DIR = path.join(os.homedir(), `.openclaw/agents/${AGENT_NAME}/sessions`); → Document that session log access is required for error signal extraction. Consider adding a sensitive-data redaction step before logging session content.	`src/evolve.js:65`
Info	SKILL.md tagline overstates 'zero network calls' Doc Mismatch SKILL.md claims 'without ever calling home, revealing your machine ID, or exposing any security holes' and '100% on your machine with zero network calls'. While the hub is disabled, the skill does make HTTP calls to localhost:11434 (Ollama) and optionally to clawhub CLI for auto-update. `A fully local machine learning engine... 100% on your machine with zero network calls.` → Update tagline to 'No external network calls (uses local Ollama at localhost:11434 for optional embeddings)' to be technically accurate.	`SKILL.md:17`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`WRITE`	✗ Violation	src/ops/skills_monitor.js:89 writes SKILL.md stubs; src/gep/skillDistiller.js wr…
Shell	`NONE`	`WRITE`	✗ Violation	src/ops/self_repair.js:9 execSync('git rebase --abort'); src/ops/skills_monitor.…
Network	`READ`	`READ`	✓ Aligned	src/ml/embeddings.js:88 POSTs to http://localhost:11434 (Ollama). Declared in SK…
Environment	`NONE`	`READ`	✓ Aligned	index.js:7 dotenv config; src/evolve.js:36 process.env reads for EVOLVE_STRATEGY…
Skill Invoke	`NONE`	`READ`	✓ Aligned	src/ops/skills_monitor.js:31 reads SKILL.md and package.json from skills directo…
Clipboard	`NONE`	`NONE`	—	No clipboard access found
Browser	`NONE`	`NONE`	—	No browser access; dashboard serves local HTML only
Database	`NONE`	`NONE`	—	No database access found; uses local JSON/JSONL files

6 Critical 10 findings

💀

Critical Dangerous Command 危险 Shell 命令

curl -fsSL https://ollama.com/install.sh | sh

SKILL.md:43

🔑

Critical API Key 硬编码 API 密钥

sk-abcdefghijklmnopqrstuvwxyz

test/sanitize.test.js:10

🔑

Critical API Key 硬编码 API 密钥

ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

test/sanitize.test.js:19

🔑

Critical API Key 硬编码 API 密钥

gho_abcdefghijklmnopqrstuvwxyz1234567890

test/sanitize.test.js:21

🔑

Critical API Key 硬编码 API 密钥

AKIAIOSFODNN7EXAMPLE

test/sanitize.test.js:29

💀

Critical Dangerous Command 危险 Shell 命令

rm -rf /

test/skillDistiller.test.js:210

🔗

Medium External URL 外部 URL

https://mastermindshq.business

SKILL.md:5

🔗

Medium External URL 外部 URL

https://ollama.com/install.sh

SKILL.md:43

📧

Info Email 邮箱地址

[email protected]

test/sanitize.test.js:57

📧

Info Email 邮箱地址

[email protected]

test/sanitize.test.js:74

File Tree

71 files · 489.3 KB · 13151 lines

JavaScript 66f · 12525L HTML 1f · 365L Markdown 2f · 206L JSON 2f · 55L

├─ ▾ 📁 dashboard

│ ├─ 📄 index.html HTML 365L · 18.0 KB

│ └─ 📜 server.js JavaScript 112L · 3.8 KB

├─ ▾ 📁 memory

│ └─ 📋 knowledge.json JSON 28L · 708 B

├─ ▾ 📁 scripts

│ ├─ 📜 analyze_by_skill.js JavaScript 121L · 4.7 KB

│ ├─ 📜 extract_log.js JavaScript 85L · 2.5 KB

│ ├─ 📜 generate_history.js JavaScript 75L · 2.5 KB

│ ├─ 📜 gep_append_event.js JavaScript 96L · 3.0 KB

│ ├─ 📜 gep_personality_report.js JavaScript 234L · 7.7 KB

│ ├─ 📜 human_report.js JavaScript 147L · 5.7 KB

│ ├─ 📜 suggest_version.js JavaScript 89L · 3.0 KB

│ └─ 📜 validate-modules.js JavaScript 8L · 437 B

├─ ▾ 📁 src

│ ├─ ▾ 📁 gep

│ │ ├─ 📜 a2a.js JavaScript 173L · 6.3 KB

│ │ ├─ 📜 a2aProtocol.js JavaScript 161L · 7.1 KB

│ │ ├─ 📜 analyzer.js JavaScript 35L · 988 B

│ │ ├─ 📜 assetCallLog.js JavaScript 130L · 3.4 KB

│ │ ├─ 📜 assets.js JavaScript 36L · 1.1 KB

│ │ ├─ 📜 assetStore.js JavaScript 353L · 13.2 KB

│ │ ├─ 📜 bridge.js JavaScript 71L · 2.0 KB

│ │ ├─ 📜 candidates.js JavaScript 183L · 6.2 KB

│ │ ├─ 📜 contentHash.js JavaScript 65L · 2.1 KB

│ │ ├─ 📜 deviceId.js JavaScript 32L · 1.0 KB

│ │ ├─ 📜 envFingerprint.js JavaScript 28L · 830 B

│ │ ├─ 📜 hubSearch.js JavaScript 11L · 532 B

│ │ ├─ 📜 llmReview.js JavaScript 15L · 609 B

│ │ ├─ 📜 memoryGraph.js JavaScript 771L · 26.9 KB

│ │ ├─ 📜 memoryGraphAdapter.js JavaScript 17L · 856 B

│ │ ├─ 📜 mutation.js JavaScript 186L · 6.7 KB

│ │ ├─ 📜 narrativeMemory.js JavaScript 108L · 3.7 KB

│ │ ├─ 📜 paths.js JavaScript 86L · 2.5 KB

│ │ ├─ 📜 personality.js JavaScript 355L · 13.2 KB

│ │ ├─ 📜 prompt.js JavaScript 566L · 22.6 KB

│ │ ├─ 📜 questionGenerator.js JavaScript 3L · 139 B

│ │ ├─ 📜 reflection.js JavaScript 127L · 4.2 KB

│ │ ├─ 📜 sanitize.js JavaScript 67L · 2.2 KB

│ │ ├─ 📜 selector.js JavaScript 285L · 10.6 KB

│ │ ├─ 📜 signals.js JavaScript 428L · 19.8 KB

│ │ ├─ 📜 skillDistiller.js JavaScript 499L · 19.5 KB

│ │ ├─ 📜 solidify.js JavaScript 1437L · 59.0 KB

│ │ ├─ 📜 strategy.js JavaScript 126L · 4.4 KB

│ │ ├─ 📜 taskReceiver.js JavaScript 9L · 517 B

│ │ └─ 📜 validationReport.js JavaScript 55L · 2.1 KB

│ ├─ ▾ 📁 ml

│ │ ├─ 📜 embeddings.js JavaScript 219L · 6.1 KB

│ │ ├─ 📜 errorClassifier.js JavaScript 137L · 4.3 KB

│ │ ├─ 📜 feedbackLoop.js JavaScript 165L · 4.7 KB

│ │ ├─ 📜 knowledgeBase.js JavaScript 144L · 4.6 KB

│ │ ├─ 📜 predictor.js JavaScript 163L · 4.7 KB

│ │ └─ 📜 trainer.js JavaScript 40L · 1.2 KB

│ ├─ ▾ 📁 ops

│ │ ├─ 📜 cleanup.js JavaScript 80L · 2.5 KB

│ │ ├─ 📜 commentary.js JavaScript 60L · 1.7 KB

│ │ ├─ 📜 index.js JavaScript 10L · 333 B

│ │ ├─ 📜 innovation.js JavaScript 67L · 3.1 KB

│ │ ├─ 📜 self_repair.js JavaScript 82L · 3.1 KB

│ │ ├─ 📜 skills_monitor.js JavaScript 143L · 5.3 KB

│ │ └─ 📜 trigger.js JavaScript 33L · 837 B

│ └─ 📜 evolve.js JavaScript 1678L · 64.6 KB

├─ ▾ 📁 test

│ ├─ 📜 contentHash.test.js JavaScript 106L · 3.5 KB

│ ├─ 📜 embeddings.test.js JavaScript 60L · 1.8 KB

│ ├─ 📜 feedbackLoop.test.js JavaScript 126L · 3.6 KB

│ ├─ 📜 knowledgeBase.test.js JavaScript 117L · 4.1 KB

│ ├─ 📜 mutation.test.js JavaScript 142L · 4.6 KB

│ ├─ 📜 predictor.test.js JavaScript 32L · 788 B

│ ├─ 📜 sanitize.test.js JavaScript 90L · 3.9 KB

│ ├─ 📜 selector.test.js JavaScript 124L · 4.1 KB

│ ├─ 📜 signals.test.js JavaScript 217L · 9.9 KB

│ ├─ 📜 skillDistiller.test.js JavaScript 486L · 16.9 KB

│ ├─ 📜 strategy.test.js JavaScript 133L · 4.8 KB

│ └─ 📜 validationReport.test.js JavaScript 148L · 4.8 KB

├─ 📜 index.js JavaScript 338L · 13.4 KB

├─ 📋 package.json JSON 27L · 942 B

├─ 📝 SECURITY.md Markdown 83L · 3.5 KB

└─ 📝 SKILL.md Markdown 123L · 5.2 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`dotenv`	`^16.4.7`	npm	No	Version not pinned (uses caret range)

Security Positives

✓ No actual credential theft or data exfiltration observed — sanitize.js actively redacts API keys, tokens, emails, and private keys from capsule payloads before any potential broadcast

✓ Comprehensive safety mechanisms: blast radius limits, ethics committee, circuit breakers, rollback on failure, LLM review gate before skill distillation

✓ Auto-update is disabled by default and requires explicit opt-in via openclaw.json — supply chain risk is acknowledged and mitigated

✓ Skill distiller strips dangerous validation commands (rm -rf /, shell expansions) before execution — rm -rf / in tests is a test case for this safety feature, not a live vulnerability

✓ Hardcoded API keys in test/sanitize.test.js are clearly fake test fixtures (sk-abcdefgh..., ghp_xxx..., AKIAIOSFODNN7EXAMPLE) used for regression testing of the redactString function

✓ Hub search, task receiver, and A2A HTTP transport are all stubbed out — local-only build confirmed by code

✓ Device ID is a randomly generated UUID stored locally, not a hardware fingerprint

✓ Environment fingerprint collects only node version, platform, and arch — no MAC addresses, hostnames, or hardware identifiers

✓ Session scope isolation prevents cross-channel/cross-project memory contamination via EVOLVER_SESSION_SCOPE

✓ EVOLVE_ALLOW_SELF_MODIFY is off by default with explicit warning 'Not recommended'

✓ No base64-encoded execution, no eval(), no obfuscation, no anti-analysis techniques

Scan Report

Findings 7 items

File Tree

Dependencies 1 items

Security Positives