中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 20/100
上次扫描:1 天前 重新扫描
20 /100
capability-evolver
A GEP-powered self-evolution engine for AI agents. Features automated log analysis and Genome Evolution Protocol (GEP) for auditable, reusable evolution assets.
A legitimate self-evolution meta-skill with comprehensive safety controls. The only notable finding is hardcoded test credential strings in test files, which pose no production risk as they are test fixtures used to verify the redaction sanitizer.
技能名称capability-evolver
分析耗时62.2s
引擎pi
可以安装
Remove hardcoded API key test fixtures from test/sanitize.test.js and replace with dynamically generated mock values. No other action required - the codebase demonstrates strong security engineering.

安全发现 2 项

严重性 安全发现 位置
低危
Hardcoded credential strings in test fixtures 供应链
test/sanitize.test.js contains hardcoded API key strings (sk-, ghp_, gho_, AKIAIOSFODNN7EXAMPLE) used as test fixtures for the redactString() sanitizer. These are test-only values used to verify the redaction function works correctly, not real secrets in use.
assert.strictEqual(redactString('sk-abcdefghijklmnopqrstuvwxyz'), REDACTED);
→ Replace hardcoded credential strings with dynamically generated mock patterns (e.g., generate fake keys programmatically) to eliminate false-positive IOC scanning alerts.
 test/sanitize.test.js:10
低危
Dangerous command in test data 文档欺骗
test/skillDistiller.test.js:210 includes 'rm -rf /' as test input for validateSynthesizedGene() to verify that dangerous validation commands are stripped. This is a legitimate safety test, not actual execution.
validation: ['node test.js', 'rm -rf /', 'echo $(whoami)', 'npm test']
→ No action needed - this is correct safety testing. The corresponding filter in skillDistiller.js:validation sanitization correctly strips shell operators and command substitution.
 test/skillDistiller.test.js:210
资源类型声明权限推断权限状态证据
文件系统 WRITE WRITE ✓ 一致 SKILL.md declares write to workspace/assets/**, memory/**, src/**
网络访问 READ READ ✓ 一致 HTTP to api.github.com and evomap.ai per network_endpoints declaration
命令执行 WRITE WRITE ✓ 一致 git/node/npm/ps/df commands per shell_commands declaration
环境变量 READ READ ✓ 一致 Reads env vars for config per env_declarations
5 严重 16 项发现
🔑
严重 API 密钥 硬编码 API 密钥
sk-abcdefghijklmnopqrstuvwxyz
test/sanitize.test.js:10
🔑
严重 API 密钥 硬编码 API 密钥
ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
test/sanitize.test.js:19
🔑
严重 API 密钥 硬编码 API 密钥
gho_abcdefghijklmnopqrstuvwxyz1234567890
test/sanitize.test.js:21
🔑
严重 API 密钥 硬编码 API 密钥
AKIAIOSFODNN7EXAMPLE
test/sanitize.test.js:29
💀
严重 危险命令 危险 Shell 命令
rm -rf /
test/skillDistiller.test.js:210
🔗
中危 外部 URL 外部 URL
https://evomap.ai
README.md:5
🔗
中危 外部 URL 外部 URL
https://evomap.ai/wiki
README.md:5
🔗
中危 外部 URL 外部 URL
https://api.star-history.com/svg?repos=autogame-17/evolver&type=Date
README.md:269
🔗
中危 外部 URL 外部 URL
https://star-history.com/#autogame-17/evolver&Date
README.md:269
🔗
中危 外部 URL 外部 URL
https://mowen.cn
README.md:284
🔗
中危 外部 URL 外部 URL
https://evomap.ai/claim/
SKILL.md:147
🔗
中危 外部 URL 外部 URL
https://www.clawhub.ai
scripts/publish_public.js:410
🔗
中危 外部 URL 外部 URL
https://evomap.ai/terms
src/gep/skillPublisher.js:162
📧
提示 邮箱 邮箱地址
[email protected]
package.json:19
📧
提示 邮箱 邮箱地址
[email protected]
test/sanitize.test.js:57
📧
提示 邮箱 邮箱地址
[email protected]
test/sanitize.test.js:74

目录结构

77 文件 · 646.0 KB · 17565 行
JavaScript 69f · 16508L Markdown 4f · 827L JSON 4f · 230L
├─ 📁 assets
│ └─ 📁 gep
│ ├─ 📋 capsules.json JSON 79L · 2.8 KB
│ └─ 📋 genes.json JSON 108L · 3.5 KB
├─ 📁 scripts
│ ├─ 📜 a2a_export.js JavaScript 63L · 2.3 KB
│ ├─ 📜 a2a_ingest.js JavaScript 79L · 2.6 KB
│ ├─ 📜 a2a_promote.js JavaScript 118L · 4.7 KB
│ ├─ 📜 analyze_by_skill.js JavaScript 121L · 4.7 KB
│ ├─ 📜 build_public.js JavaScript 355L · 10.6 KB
│ ├─ 📜 extract_log.js JavaScript 85L · 2.5 KB
│ ├─ 📜 generate_history.js JavaScript 75L · 2.5 KB
│ ├─ 📜 gep_append_event.js JavaScript 96L · 3.0 KB
│ ├─ 📜 gep_personality_report.js JavaScript 234L · 7.7 KB
│ ├─ 📜 human_report.js JavaScript 147L · 5.7 KB
│ ├─ 📜 publish_public.js JavaScript 614L · 19.9 KB
│ ├─ 📜 recover_loop.js JavaScript 61L · 1.7 KB
│ ├─ 📜 suggest_version.js JavaScript 89L · 3.0 KB
│ └─ 📜 validate-modules.js JavaScript 8L · 437 B
├─ 📁 src
│ ├─ 📁 gep
│ │ ├─ 📜 a2a.js JavaScript 173L · 6.3 KB
│ │ ├─ 📜 a2aProtocol.js JavaScript 752L · 23.4 KB
│ │ ├─ 📜 analyzer.js JavaScript 35L · 988 B
│ │ ├─ 📜 assetCallLog.js JavaScript 130L · 3.4 KB
│ │ ├─ 📜 assets.js JavaScript 36L · 1.1 KB
│ │ ├─ 📜 assetStore.js JavaScript 328L · 12.5 KB
│ │ ├─ 📜 bridge.js JavaScript 71L · 2.0 KB
│ │ ├─ 📜 candidates.js JavaScript 142L · 5.0 KB
│ │ ├─ 📜 contentHash.js JavaScript 65L · 2.1 KB
│ │ ├─ 📜 deviceId.js JavaScript 209L · 6.6 KB
│ │ ├─ 📜 envFingerprint.js JavaScript 83L · 2.9 KB
│ │ ├─ 📜 hubReview.js JavaScript 206L · 6.4 KB
│ │ ├─ 📜 hubSearch.js JavaScript 237L · 7.7 KB
│ │ ├─ 📜 issueReporter.js JavaScript 262L · 8.8 KB
│ │ ├─ 📜 llmReview.js JavaScript 92L · 3.1 KB
│ │ ├─ 📜 memoryGraph.js JavaScript 771L · 26.9 KB
│ │ ├─ 📜 memoryGraphAdapter.js JavaScript 203L · 7.0 KB
│ │ ├─ 📜 mutation.js JavaScript 186L · 6.7 KB
│ │ ├─ 📜 narrativeMemory.js JavaScript 108L · 3.7 KB
│ │ ├─ 📜 paths.js JavaScript 130L · 3.7 KB
│ │ ├─ 📜 personality.js JavaScript 355L · 13.2 KB
│ │ ├─ 📜 prompt.js JavaScript 579L · 23.6 KB
│ │ ├─ 📜 questionGenerator.js JavaScript 212L · 8.5 KB
│ │ ├─ 📜 reflection.js JavaScript 127L · 4.2 KB
│ │ ├─ 📜 sanitize.js JavaScript 67L · 2.2 KB
│ │ ├─ 📜 selector.js JavaScript 250L · 9.2 KB
│ │ ├─ 📜 signals.js JavaScript 417L · 19.5 KB
│ │ ├─ 📜 skillDistiller.js JavaScript 686L · 28.5 KB
│ │ ├─ 📜 skillPublisher.js JavaScript 307L · 10.3 KB
│ │ ├─ 📜 solidify.js JavaScript 1698L · 71.8 KB
│ │ ├─ 📜 strategy.js JavaScript 126L · 4.4 KB
│ │ ├─ 📜 taskReceiver.js JavaScript 528L · 17.3 KB
│ │ └─ 📜 validationReport.js JavaScript 55L · 2.1 KB
│ ├─ 📁 ops
│ │ ├─ 📜 cleanup.js JavaScript 80L · 2.5 KB
│ │ ├─ 📜 commentary.js JavaScript 60L · 1.7 KB
│ │ ├─ 📜 health_check.js JavaScript 106L · 4.0 KB
│ │ ├─ 📜 index.js JavaScript 11L · 376 B
│ │ ├─ 📜 innovation.js JavaScript 67L · 3.1 KB
│ │ ├─ 📜 lifecycle.js JavaScript 168L · 6.2 KB
│ │ ├─ 📜 self_repair.js JavaScript 72L · 2.5 KB
│ │ ├─ 📜 skills_monitor.js JavaScript 143L · 5.3 KB
│ │ └─ 📜 trigger.js JavaScript 33L · 837 B
│ ├─ 📜 canary.js JavaScript 13L · 486 B
│ └─ 📜 evolve.js JavaScript 1720L · 66.2 KB
├─ 📁 test
│ ├─ 📜 a2aProtocol.test.js JavaScript 199L · 6.5 KB
│ ├─ 📜 contentHash.test.js JavaScript 106L · 3.5 KB
│ ├─ 📜 envFingerprint.test.js JavaScript 89L · 3.0 KB
│ ├─ 📜 mutation.test.js JavaScript 142L · 4.6 KB
│ ├─ 📜 sanitize.test.js JavaScript 90L · 3.9 KB
│ ├─ 📜 selector.test.js JavaScript 124L · 4.1 KB
│ ├─ 📜 signals.test.js JavaScript 217L · 9.9 KB
│ ├─ 📜 skillDistiller.test.js JavaScript 486L · 16.9 KB
│ ├─ 📜 strategy.test.js JavaScript 133L · 4.8 KB
│ └─ 📜 validationReport.test.js JavaScript 148L · 4.8 KB
├─ 📋 _meta.json JSON 5L · 127 B
├─ 📝 CONTRIBUTING.md Markdown 11L · 327 B
├─ 📜 index.js JavaScript 530L · 21.2 KB
├─ 📋 package.json JSON 38L · 986 B
├─ 📝 README.md Markdown 290L · 12.8 KB
├─ 📝 README.zh-CN.md Markdown 236L · 11.3 KB
└─ 📝 SKILL.md Markdown 290L · 11.8 KB

依赖分析 1 项

包名版本来源已知漏洞备注
dotenv ^16.4.7 npm Version pinned with caret range

安全亮点

✓ Validation command sanitization blocks all shell operators ([;&|><]), backticks, and $(command substitution)
✓ Ethics patterns block attempts to bypass safety/guardrails in gene strategies
✓ Critical path protection prevents modification of core skills and essential files
✓ Hard blast radius caps (60 files / 20000 lines) are enforced as absolute system limits
✓ Canary pre-solidify check verifies index.js loads before committing changes
✓ LLM review gate (EVOLVER_LLM_REVIEW) provides human-in-the-loop safety
✓ Credential redaction via redactString() with comprehensive pattern coverage
✓ HMAC-SHA256 signing for A2A publish operations
✓ Critical path protected paths include all core skills (evolver, feishu-*, clawhub, git-sync)