Skill Trust Decision
self-evolution-engine
Hardcoded billing API key with no declared credential handling, plus undocumented external data transmission to skillpay.me that is only minimally mentioned in SKILL.md — a significant doc-to-code mismatch.
Most direct threat evidence
Critical Credential Theft
Hardcoded Billing API Key in Source Code payment.py contains a plaintext billing API key 'sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2' hardcoded at line 12. The _meta.json specifies the key should come from SKILLPAY_API_KEY environment variable, but the code bypasses this entirely. Anyone with read access to the skill source can extract and misuse this key.
payment.py:12 Why this conclusion was reached
2/4 dimensions flagged Pass
Declared vs actual capability
Declared resources and inferred behavior are broadly aligned.
Block
Hidden execution and egress
1 high-risk artifacts or egress signals were extracted.
Block
Attack chain and severe findings
The report includes 3 attack-chain steps and 3 severe findings.
Review
Dependencies and supply chain hygiene
5 dependency or supply-chain issues need attention.
Attack Chain
01
Skill deployed with hardcoded billing API key embedded in payment.py
Entry · payment.py:12
02
Attacker extracts the hardcoded API key from source code
Escalation · payment.py:12
03
Attacker uses extracted key to make unauthorized billing API calls against skillpay.me on behalf of the skill operator
Impact · payment.py:38
What drove the risk score up
Hardcoded billing API key in source +35
payment.py line 12 contains a plaintext API key 'sk_f03aa...1d2' used in all X-API-Key headers. No env var fallback. Should be SKILLPAY_API_KEY from environment.
Undeclared external data transmission +20
SKILL.md mentions SkillPay only as a pricing note but does not disclose that SKILLPAY_USER_ID (from environment) is sent to an external endpoint. Data exfiltration to external host skillpay.me is not documented.
Hardcoded workspace path +8
evolution_generator.py and version_manager.py hardcode '/root/.openclaw/workspace/skills' — undeclared privileged path access that is platform-specific.
Unpinned dependencies +5
requirements.txt contains pandas>=2.0.0, numpy>=1.24.0, psutil>=5.9.0, matplotlib>=3.7.0 without upper bounds or exact versions.
Most important evidence
Critical Credential Theft
Hardcoded Billing API Key in Source Code
payment.py contains a plaintext billing API key 'sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2' hardcoded at line 12. The _meta.json specifies the key should come from SKILLPAY_API_KEY environment variable, but the code bypasses this entirely. Anyone with read access to the skill source can extract and misuse this key.
payment.py:12 Replace with os.environ.get('SKILLPAY_API_KEY', '') and ensure the environment variable is documented and required at runtime.
High Data Exfil
Undeclared External Data Transmission
The skill transmits SKILLPAY_USER_ID (read from environment) and the billing API key to https://skillpay.me for payment verification. SKILL.md only mentions '本 Skill 已接入 SkillPay 付费系统' and a price tag. It does not disclose what data is sent, to which endpoint, or that user identifiers are transmitted to a third-party service.
payment.py:76 Add a dedicated '数据与隐私' section to SKILL.md detailing all external API calls, data fields transmitted, and the service provider.
High Doc Mismatch
SKILL.md Does Not Match Implementation
SKILL.md describes a pure self-evolution engine (performance monitoring, error analysis, version management). The actual implementation includes a mandatory billing/payment system that charges users before execution, reads environment variables, and makes outbound HTTP requests — none of which appear in the capability declaration or tool list.
SKILL.md:1 Add network:READ and environment:READ to the declared capability map, and document the payment verification flow in SKILL.md.
Medium Sensitive Access
Hardcoded Privileged Workspace Path
Both evolution_generator.py and version_manager.py hardcode /root/.openclaw/workspace/skills as the target directory for skill file operations (snapshots, backups, patches). This path implies running with elevated (root) privileges and targets a specific platform directory not declared in SKILL.md.
scripts/evolution_generator.py:22 Use a configurable workspace path from environment variable or command-line argument rather than hardcoding /root paths.
Low Supply Chain
Unpinned Dependencies with Lower Bounds Only
requirements.txt uses lower-bound version specifiers (pandas>=2.0.0, numpy>=1.24.0, etc.) without upper bounds or exact pins. This allows dependency confusion attacks and pulls latest patch versions without review.
requirements.txt:1 Pin exact versions (e.g., pandas==2.2.3) or at minimum add upper bounds (pandas>=2.0.0,<3.0.0) to prevent silent major-version jumps.
Declared capability vs actual capability
Network Pass
Declared NONE
→ Inferred READ
payment.py:20-30 makes requests.post() to https://skillpay.me with API key and user ID Environment Pass
Declared NONE
→ Inferred READ
payment.py:76 reads os.environ.get('SKILLPAY_USER_ID') Filesystem Pass
Declared NONE
→ Inferred WRITE
evolution_generator.py:22, version_manager.py:18 hardcode /root/.openclaw/workspace/skills path for writes Suspicious artifacts and egress
High API Key
API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2" payment.py:12
Medium External URL
https://skillpay.me payment.py:11
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| pandas | >=2.0.0 | pip | No | Version not pinned, lower-bound only |
| numpy | >=1.24.0 | pip | No | Version not pinned |
| psutil | >=5.9.0 | pip | No | Version not pinned |
| matplotlib | >=3.7.0 | pip | No | Version not pinned |
| python-dateutil | >=2.8.0 | pip | No | Version not pinned |
| requests | not declared | pip | No | Used in payment.py but not listed in requirements.txt |
File composition
9 files · 1662 lines
Python 5 files · 1300 linesMarkdown 2 files · 329 linesJSON 1 files · 19 linesText 1 files · 14 lines
Files of concern · 4
scripts/evolution_generator.py Hardcoded Privileged Workspace Path
payment.py Hardcoded Billing API Key in Source Code · Undeclared External Data Transmission · API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2" · https://skillpay.me
SKILL.md SKILL.md Does Not Match Implementation
requirements.txt Unpinned Dependencies with Lower Bounds Only
Other files · version_manager.py · error_analyzer.py · performance_monitor.py · architecture.md · _meta.json
Security positives
No shell execution, subprocess, or command injection vectors found
No credential harvesting beyond the billing API key (which is used for its intended purpose, not exfiltrated elsewhere)
No base64-encoded payloads, obfuscated code, or anti-analysis techniques
Evolution apply and rollback operations require explicit --confirm flags, providing a human-in-the-loop safeguard
Backup creation before rollback operations prevents accidental data loss
No access to ~/.ssh, ~/.aws, .env, or other sensitive user paths
No reverse shell, C2, or data-theft-only beacons detected