中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:1 day ago Rescan
20 /100
capability-evolver
A GEP-powered self-evolution engine for AI agents. Features automated log analysis and Genome Evolution Protocol (GEP) for auditable, reusable evolution assets.
A legitimate self-evolution meta-skill with comprehensive safety controls. The only notable finding is hardcoded test credential strings in test files, which pose no production risk as they are test fixtures used to verify the redaction sanitizer.
Skill Namecapability-evolver
Duration62.2s
Enginepi
Safe to install
Remove hardcoded API key test fixtures from test/sanitize.test.js and replace with dynamically generated mock values. No other action required - the codebase demonstrates strong security engineering.

Findings 2 items

Severity Finding Location
Low
Hardcoded credential strings in test fixtures Supply Chain
test/sanitize.test.js contains hardcoded API key strings (sk-, ghp_, gho_, AKIAIOSFODNN7EXAMPLE) used as test fixtures for the redactString() sanitizer. These are test-only values used to verify the redaction function works correctly, not real secrets in use.
assert.strictEqual(redactString('sk-abcdefghijklmnopqrstuvwxyz'), REDACTED);
→ Replace hardcoded credential strings with dynamically generated mock patterns (e.g., generate fake keys programmatically) to eliminate false-positive IOC scanning alerts.
 test/sanitize.test.js:10
Low
Dangerous command in test data Doc Mismatch
test/skillDistiller.test.js:210 includes 'rm -rf /' as test input for validateSynthesizedGene() to verify that dangerous validation commands are stripped. This is a legitimate safety test, not actual execution.
validation: ['node test.js', 'rm -rf /', 'echo $(whoami)', 'npm test']
→ No action needed - this is correct safety testing. The corresponding filter in skillDistiller.js:validation sanitization correctly strips shell operators and command substitution.
 test/skillDistiller.test.js:210
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE WRITE ✓ Aligned SKILL.md declares write to workspace/assets/**, memory/**, src/**
Network READ READ ✓ Aligned HTTP to api.github.com and evomap.ai per network_endpoints declaration
Shell WRITE WRITE ✓ Aligned git/node/npm/ps/df commands per shell_commands declaration
Environment READ READ ✓ Aligned Reads env vars for config per env_declarations
5 Critical 16 findings
🔑
Critical API Key 硬编码 API 密钥
sk-abcdefghijklmnopqrstuvwxyz
test/sanitize.test.js:10
🔑
Critical API Key 硬编码 API 密钥
ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
test/sanitize.test.js:19
🔑
Critical API Key 硬编码 API 密钥
gho_abcdefghijklmnopqrstuvwxyz1234567890
test/sanitize.test.js:21
🔑
Critical API Key 硬编码 API 密钥
AKIAIOSFODNN7EXAMPLE
test/sanitize.test.js:29
💀
Critical Dangerous Command 危险 Shell 命令
rm -rf /
test/skillDistiller.test.js:210
🔗
Medium External URL 外部 URL
https://evomap.ai
README.md:5
🔗
Medium External URL 外部 URL
https://evomap.ai/wiki
README.md:5
🔗
Medium External URL 外部 URL
https://api.star-history.com/svg?repos=autogame-17/evolver&type=Date
README.md:269
🔗
Medium External URL 外部 URL
https://star-history.com/#autogame-17/evolver&Date
README.md:269
🔗
Medium External URL 外部 URL
https://mowen.cn
README.md:284
🔗
Medium External URL 外部 URL
https://evomap.ai/claim/
SKILL.md:147
🔗
Medium External URL 外部 URL
https://www.clawhub.ai
scripts/publish_public.js:410
🔗
Medium External URL 外部 URL
https://evomap.ai/terms
src/gep/skillPublisher.js:162
📧
Info Email 邮箱地址
[email protected]
package.json:19
📧
Info Email 邮箱地址
[email protected]
test/sanitize.test.js:57
📧
Info Email 邮箱地址
[email protected]
test/sanitize.test.js:74

File Tree

77 files · 646.0 KB · 17565 lines
JavaScript 69f · 16508L Markdown 4f · 827L JSON 4f · 230L
├─ 📁 assets
│ └─ 📁 gep
│ ├─ 📋 capsules.json JSON 79L · 2.8 KB
│ └─ 📋 genes.json JSON 108L · 3.5 KB
├─ 📁 scripts
│ ├─ 📜 a2a_export.js JavaScript 63L · 2.3 KB
│ ├─ 📜 a2a_ingest.js JavaScript 79L · 2.6 KB
│ ├─ 📜 a2a_promote.js JavaScript 118L · 4.7 KB
│ ├─ 📜 analyze_by_skill.js JavaScript 121L · 4.7 KB
│ ├─ 📜 build_public.js JavaScript 355L · 10.6 KB
│ ├─ 📜 extract_log.js JavaScript 85L · 2.5 KB
│ ├─ 📜 generate_history.js JavaScript 75L · 2.5 KB
│ ├─ 📜 gep_append_event.js JavaScript 96L · 3.0 KB
│ ├─ 📜 gep_personality_report.js JavaScript 234L · 7.7 KB
│ ├─ 📜 human_report.js JavaScript 147L · 5.7 KB
│ ├─ 📜 publish_public.js JavaScript 614L · 19.9 KB
│ ├─ 📜 recover_loop.js JavaScript 61L · 1.7 KB
│ ├─ 📜 suggest_version.js JavaScript 89L · 3.0 KB
│ └─ 📜 validate-modules.js JavaScript 8L · 437 B
├─ 📁 src
│ ├─ 📁 gep
│ │ ├─ 📜 a2a.js JavaScript 173L · 6.3 KB
│ │ ├─ 📜 a2aProtocol.js JavaScript 752L · 23.4 KB
│ │ ├─ 📜 analyzer.js JavaScript 35L · 988 B
│ │ ├─ 📜 assetCallLog.js JavaScript 130L · 3.4 KB
│ │ ├─ 📜 assets.js JavaScript 36L · 1.1 KB
│ │ ├─ 📜 assetStore.js JavaScript 328L · 12.5 KB
│ │ ├─ 📜 bridge.js JavaScript 71L · 2.0 KB
│ │ ├─ 📜 candidates.js JavaScript 142L · 5.0 KB
│ │ ├─ 📜 contentHash.js JavaScript 65L · 2.1 KB
│ │ ├─ 📜 deviceId.js JavaScript 209L · 6.6 KB
│ │ ├─ 📜 envFingerprint.js JavaScript 83L · 2.9 KB
│ │ ├─ 📜 hubReview.js JavaScript 206L · 6.4 KB
│ │ ├─ 📜 hubSearch.js JavaScript 237L · 7.7 KB
│ │ ├─ 📜 issueReporter.js JavaScript 262L · 8.8 KB
│ │ ├─ 📜 llmReview.js JavaScript 92L · 3.1 KB
│ │ ├─ 📜 memoryGraph.js JavaScript 771L · 26.9 KB
│ │ ├─ 📜 memoryGraphAdapter.js JavaScript 203L · 7.0 KB
│ │ ├─ 📜 mutation.js JavaScript 186L · 6.7 KB
│ │ ├─ 📜 narrativeMemory.js JavaScript 108L · 3.7 KB
│ │ ├─ 📜 paths.js JavaScript 130L · 3.7 KB
│ │ ├─ 📜 personality.js JavaScript 355L · 13.2 KB
│ │ ├─ 📜 prompt.js JavaScript 579L · 23.6 KB
│ │ ├─ 📜 questionGenerator.js JavaScript 212L · 8.5 KB
│ │ ├─ 📜 reflection.js JavaScript 127L · 4.2 KB
│ │ ├─ 📜 sanitize.js JavaScript 67L · 2.2 KB
│ │ ├─ 📜 selector.js JavaScript 250L · 9.2 KB
│ │ ├─ 📜 signals.js JavaScript 417L · 19.5 KB
│ │ ├─ 📜 skillDistiller.js JavaScript 686L · 28.5 KB
│ │ ├─ 📜 skillPublisher.js JavaScript 307L · 10.3 KB
│ │ ├─ 📜 solidify.js JavaScript 1698L · 71.8 KB
│ │ ├─ 📜 strategy.js JavaScript 126L · 4.4 KB
│ │ ├─ 📜 taskReceiver.js JavaScript 528L · 17.3 KB
│ │ └─ 📜 validationReport.js JavaScript 55L · 2.1 KB
│ ├─ 📁 ops
│ │ ├─ 📜 cleanup.js JavaScript 80L · 2.5 KB
│ │ ├─ 📜 commentary.js JavaScript 60L · 1.7 KB
│ │ ├─ 📜 health_check.js JavaScript 106L · 4.0 KB
│ │ ├─ 📜 index.js JavaScript 11L · 376 B
│ │ ├─ 📜 innovation.js JavaScript 67L · 3.1 KB
│ │ ├─ 📜 lifecycle.js JavaScript 168L · 6.2 KB
│ │ ├─ 📜 self_repair.js JavaScript 72L · 2.5 KB
│ │ ├─ 📜 skills_monitor.js JavaScript 143L · 5.3 KB
│ │ └─ 📜 trigger.js JavaScript 33L · 837 B
│ ├─ 📜 canary.js JavaScript 13L · 486 B
│ └─ 📜 evolve.js JavaScript 1720L · 66.2 KB
├─ 📁 test
│ ├─ 📜 a2aProtocol.test.js JavaScript 199L · 6.5 KB
│ ├─ 📜 contentHash.test.js JavaScript 106L · 3.5 KB
│ ├─ 📜 envFingerprint.test.js JavaScript 89L · 3.0 KB
│ ├─ 📜 mutation.test.js JavaScript 142L · 4.6 KB
│ ├─ 📜 sanitize.test.js JavaScript 90L · 3.9 KB
│ ├─ 📜 selector.test.js JavaScript 124L · 4.1 KB
│ ├─ 📜 signals.test.js JavaScript 217L · 9.9 KB
│ ├─ 📜 skillDistiller.test.js JavaScript 486L · 16.9 KB
│ ├─ 📜 strategy.test.js JavaScript 133L · 4.8 KB
│ └─ 📜 validationReport.test.js JavaScript 148L · 4.8 KB
├─ 📋 _meta.json JSON 5L · 127 B
├─ 📝 CONTRIBUTING.md Markdown 11L · 327 B
├─ 📜 index.js JavaScript 530L · 21.2 KB
├─ 📋 package.json JSON 38L · 986 B
├─ 📝 README.md Markdown 290L · 12.8 KB
├─ 📝 README.zh-CN.md Markdown 236L · 11.3 KB
└─ 📝 SKILL.md Markdown 290L · 11.8 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
dotenv ^16.4.7 npm No Version pinned with caret range

Security Positives

✓ Validation command sanitization blocks all shell operators ([;&|><]), backticks, and $(command substitution)
✓ Ethics patterns block attempts to bypass safety/guardrails in gene strategies
✓ Critical path protection prevents modification of core skills and essential files
✓ Hard blast radius caps (60 files / 20000 lines) are enforced as absolute system limits
✓ Canary pre-solidify check verifies index.js loads before committing changes
✓ LLM review gate (EVOLVER_LLM_REVIEW) provides human-in-the-loop safety
✓ Credential redaction via redactString() with comprehensive pattern coverage
✓ HMAC-SHA256 signing for A2A publish operations
✓ Critical path protected paths include all core skills (evolver, feishu-*, clawhub, git-sync)