Skill Trust Decision
evolution-watcher
Skill declares read-only monitoring but contains file modification capabilities (patch application) through subprocess that contradict stated security claims.
Most direct threat evidence
01
Skill presents as read-only monitoring tool in SKILL.md deception · SKILL.md
02
User runs monitor.py to check plugin updates Entry · scripts/monitor.py
03
Code accesses /root/.openclaw/workspace/ for registry and plugin information recon · scripts/monitor.py
Why this conclusion was reached
3/4 dimensions flagged Block
Declared vs actual capability
3 undeclared or violating capabilities were inferred.
Block
Hidden execution and egress
1 high-risk artifacts or egress signals were extracted.
Block
Attack chain and severe findings
The report includes 6 attack-chain steps and 2 severe findings.
Pass
Dependencies and supply chain hygiene
Dependencies are present but no obvious high-risk issue stands out.
Attack Chain
01
Skill presents as read-only monitoring tool in SKILL.md
deception · SKILL.md:1
02
User runs monitor.py to check plugin updates
Entry · scripts/monitor.py:2300
03
Code accesses /root/.openclaw/workspace/ for registry and plugin information
recon · scripts/monitor.py:45
04
DiffAnalyzer clones Git repos and runs git commands via subprocess
Escalation · scripts/diff_analyzer.py:75
05
FixApplier.apply_fix() applies patches to adapter files via subprocess
Escalation · scripts/adapter_auto_fix.py:760
06
Files in /root/.openclaw/workspace/integration/adapter/ modified without clear user consent
Impact · scripts/adapter_auto_fix.py:771
What drove the risk score up
Documentation mismatch +25
SKILL.md claims '只读操作' (read-only) and '零自动升级' (zero auto-upgrade) but adapter_auto_fix.py contains FixApplier that applies patches via subprocess
Undeclared shell execution +15
The FixApplier.apply_fix() uses subprocess.run(['patch', ...]) to modify files, which is not declared in SKILL.md
Script generation capability +10
UpgradeScriptGenerator creates executable bash/python scripts based on detected updates
Hardcoded placeholder credentials +5
email_sender.py:47 contains password='your-app-password' placeholder - low risk but indicates credential handling patterns
Most important evidence
High Doc Mismatch
Documentation mismatch - file modification not declared
SKILL.md states '只读操作:不执行任何自动升级' (read-only operations: do not execute any auto-upgrade) but the FixApplier class in adapter_auto_fix.py applies patches to adapter files using subprocess, enabling file modifications.
SKILL.md:1 Either remove the FixApplier.patch application functionality or update SKILL.md to declare filesystem:WRITE and shell:WRITE capabilities.
High RCE
Undeclared shell execution via patch command
adapter_auto_fix.py:760-790 contains FixApplier.apply_fix() that executes 'patch' command via subprocess to modify files in the filesystem, which is not declared in SKILL.md
scripts/adapter_auto_fix.py:760 Declare shell:WRITE capability if patch application is intentional, or remove the patch execution code.
Medium Doc Mismatch
Script generation capability not documented
UpgradeScriptGenerator creates executable bash and python scripts but this functionality is not mentioned in SKILL.md
scripts/monitor.py:1650 Document the script generation capability if intentional, or remove the functionality.
Low Sensitive Access
Hardcoded placeholder password
email_sender.py:47 contains placeholder password='your-app-password'. While this is a placeholder, it demonstrates credential handling patterns that could be exploited if actual credentials are stored similarly.
scripts/email_sender.py:47 Remove default placeholder credentials and require environment variables to be set.
Low Credential Theft
Environment variable access for credentials
email_sender.py reads EVOLUTION_WATCHER_SENDER_EMAIL and EVOLUTION_WATCHER_SENDER_PASSWORD from environment. If these contain sensitive tokens, they could be accessed.
scripts/email_sender.py:37 Ensure credentials are not exfiltrated - current code only uses them for SMTP login, which appears legitimate.
Declared capability vs actual capability
Filesystem Block
Declared READ
→ Inferred WRITE
adapter_auto_fix.py:771 uses subprocess.run(['patch', ...]) to modify adapter files Shell Block
Declared READ
→ Inferred WRITE
monitor.py:28 uses subprocess.run for 'clawhub' commands; adapter_auto_fix.py:760 applies patches to files Network Pass
Declared READ
→ Inferred READ
Uses network only for version checking via clawhub CLI Environment Block
Declared NONE
→ Inferred READ
email_sender.py:37-38 reads EVOLUTION_WATCHER_SENDER_EMAIL/PASSWORD Suspicious artifacts and egress
High API Key
password = "your-app-password" scripts/email_sender.py:47
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| pyyaml | unpinned | import yaml | No | Used for fix_templates.yaml parsing |
| markdown | unpinned | import markdown | No | Optional dependency for email formatting |
File composition
36 files · 7784 lines
Python 6 files · 5165 linesJSON 3 files · 1262 linesMarkdown 26 files · 1139 linesYAML 1 files · 218 lines
Files of concern · 4
scripts/monitor.py Script generation capability not documented
scripts/adapter_auto_fix.py Undeclared shell execution via patch command
SKILL.md Documentation mismatch - file modification not declared
scripts/email_sender.py Hardcoded placeholder password · Environment variable access for credentials · password = "your-app-password" · [email protected] · [email protected]
Other files · updates_log.json · diff_analyzer.py · test_end_to_end.py · fix_templates.yaml · updates_20260318_021408.md · updates_20260318_024436.md +2
Security positives
Skill includes backup functionality before applying patches (sandbox_validate creates temp copies)
Includes health check verification after fix application
Dry-run mode available in UpgradeScriptGenerator
Reports are generated for human review before execution
Authorization flow mentioned for fix application (apply_fix requires 'authorized' parameter)