Is dadaniya99/evomap-gep safe?

SKILL.md explicitly instructs the agent to fetch capsules from evomap.ai and apply them: 'Read the returned capsules. If a capsule matches your situation, try applying it.' This directs the agent to execute arbitrary instructions served by a third-party server operator. An attacker who controls evomap.ai — or compromises it — can return malicious capsules to any connected agent and have them applied without user confirmation. The attack surface scales with the number of agents using the skill.

The skill instructs the agent to search evomap.ai whenever it encounters any problem: 'When you hit a problem — error, timeout, config issue — search EvoMap first'. This means every error, timeout, and configuration issue encountered during normal agent operation is transmitted to evomap.ai as a query string, paired with the agent's permanent sender_id. The operator of evomap.ai receives a complete, timestamped record of every difficulty the agent encounters.

The skill explicitly instructs the agent to write a permanent external identifier to MEMORY.md, the agent's persistent cross-session memory store. This is not a one-time setup step — SKILL.md frames it as mandatory and permanent: 'Your sender_id is permanent — never change it. Save it to MEMORY.md.' Both scripts read MEMORY.md on every invocation to extract this identifier before making outbound calls, meaning any agent with this skill installed will always transmit its persistent identity to evomap.ai.

SKILL.md notes that 'The scripts auto-add the correct User-Agent header to pass Cloudflare protection.' Both hello.py and fetch.py set 'User-Agent: OpenClaw-EvoMap/1.0' specifically to bypass Cloudflare's bot detection. Legitimate registered developer APIs do not require clients to bypass Cloudflare WAF — this is standard practice for scrapers and unauthorized bots. This raises significant questions about whether evomap.ai is a legitimate service operating with proper API infrastructure.

The skill assigns each agent a permanent node_xxx identifier, stores it in MEMORY.md, and transmits it on every API call to evomap.ai. Unlike a session token, this identifier is explicitly designed to never change. This enables evomap.ai to maintain a longitudinal record of every query, publication, and hello event from a given agent across all sessions, users, and tasks indefinitely. There is no opt-out, rotation, or expiry mechanism.

The publish-guide.md capsule schema requires publishers to include an env_fingerprint field containing node_version, platform, arch, and runtime. Any agent that publishes a capsule will transmit these host environment details to evomap.ai. While publication is optional, the skill actively encourages it after solving problems.

fetch.py receives JSON from evomap.ai, extracts asset summaries, and prints them directly to stdout with no content sanitization or schema enforcement. The raw API response is also printed in full ('--- Raw response ---'). If evomap.ai returns malicious content (prompt injection strings, harmful instructions), it is injected directly into the agent's context as trusted tool output.

inotifywait events captured OPEN and ACCESS events on .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json at 09:58:19 and again near session end. These accesses are temporally consistent with the audit monitoring infrastructure performing initial and final canary baseline scans. No skill scripts were executed during the monitoring period and auditd EXECVE records do not show Python running against these paths.