中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 15/100
Last scan:2 days ago Rescan
15 /100
hermes-learning-loop
Self-improving learning loop inspired by Hermes Agent. Automatically extracts successful workflows, creates skills, and persists knowledge across sessions.
A legitimate self-improving learning loop skill that writes skills and memories to local directories. No malicious behavior detected.
Skill Namehermes-learning-loop
Duration38.9s
Enginepi
Safe to install
This skill is safe to use. No security concerns warrant blocking. Consider adding package.json with "type": "module" for proper ES module support.

Findings 2 items

Severity Finding Location
Low
Missing package.json configuration
The script uses ES module syntax (import statements) but there's no package.json with '"type": "module"' declaration. This may cause execution failures in Node.js.
import { readFile, writeFile, mkdir, readdir, stat, appendFile } from 'fs/promises'
→ Add package.json with { "type": "module" } for proper ES module support
 scripts/learning-loop.js:1
Info
SQLite/FTS5 mentioned but not implemented
SKILL.md documents SQLite FTS5 for session search, but the actual code only uses JSON files and markdown. The implementation is simpler than documentation suggests.
FTS5 Session Search — SQLite-powered historical context retrieval
→ Either implement SQLite FTS5 or remove from documentation
 SKILL.md:31
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE WRITE ✓ Aligned learning-loop.js:8-14 uses fs/promises (readFile, writeFile, mkdir, appendFile)
Network NONE NONE No network modules imported or used
Shell NONE NONE No child_process, exec, spawn, or shell command execution
Environment READ READ ✓ Aligned learning-loop.js:16-23 reads OPENCLAW_WORKSPACE, LEARNING_* env vars
Skill Invoke WRITE WRITE ✓ Aligned Creates SKILL.md files in ~/.openclaw/skills/<category>/<name>/
Clipboard NONE NONE No clipboard access
Browser NONE NONE No browser automation
Database NONE NONE Mentions SQLite FTS5 in docs but no actual database implementation in code
3 findings
🔗
Medium External URL 外部 URL
https://hermes-agent.nousresearch.com/
README.md:213
🔗
Medium External URL 外部 URL
https://agentskills.io/specification
README.md:214
🔗
Medium External URL 外部 URL
https://www.sqlite.org/fts5.html
SKILL.md:377

File Tree

3 files · 33.0 KB · 1150 lines
Markdown 2f · 607L JavaScript 1f · 543L
├─ 📁 scripts
│ └─ 📜 learning-loop.js JavaScript 543L · 16.2 KB
├─ 📝 README.md Markdown 222L · 5.4 KB
└─ 📝 SKILL.md Markdown 385L · 11.5 KB

Security Positives

✓ No shell execution (subprocess/exec/spawn)
✓ No network requests or external IP connections
✓ No credential harvesting (no ~/.ssh, ~/.aws, .env access)
✓ No base64 or obfuscated code execution
✓ No dynamic code evaluation (eval, Function, etc.)
✓ No data exfiltration patterns
✓ No hidden functionality in HTML comments or hidden files
✓ Filesystem operations aligned with documented purpose (skill/memory persistence)