Is self-evolving-skill safe?
https://clawhub.ai/whtoo/self-evolving-skill
This skill exhibits concerning behavior during installation — most critically, it reads .env, .aws/credentials, and auth-profiles.json without any legitimate reason. The core Python modules referenced throughout the codebase are missing from the shipped package, creating either a broken skill or a supply-chain attack vector. The self-modifying nature of the skill (value-gated mutations with persistence) means its behavior can drift post-audit, making static analysis unreliable over time.
Category Scores
Findings (10)
CRITICAL Install process reads sensitive credential files -50 ▶
During installation, the process accessed .env, .aws/credentials, and auth-profiles.json. These files contain secrets (API keys, AWS access keys, authentication tokens) that have no legitimate relationship to a 'self-evolving skill' machine learning system. This is the single most concerning behavior observed.
HIGH Missing core/ Python modules referenced throughout codebase -35 ▶
SKILL.md, README.md, INSTALLATION.md, and mcporter_adapter.py all reference a core/ directory with 6 Python modules (residual_pyramid.py, reflection_trigger.py, experience_replay.py, skill_engine.py, storage.py, mcp_server.py) that do NOT exist in the shipped package. The mcporter_adapter.py attempts to import from this directory at runtime. This means either: (a) the skill is broken/incomplete, or (b) these modules are expected to be fetched from an external source, creating a supply-chain risk.
HIGH Self-modifying skill with mutation and persistence capabilities -40 ▶
The skill is designed to mutate its own behavior through 'value-gated mutations' and persist these changes to disk. The skill_execute tool returns mutation_accepted flags, meaning the skill's behavior can drift from what was originally audited. Static security analysis becomes unreliable over time.
HIGH System fingerprinting via /etc/machine-id access -30 ▶
The install process read /etc/machine-id, a globally unique identifier for the host system. Combined with the credential file access, this could enable correlation of exfiltrated data with specific machines.
MEDIUM Local HTTP server spawned on port 8080 -15 ▶
The TypeScript engine spawns a Python subprocess that binds an HTTP server on localhost:8080 accepting JSON tool call requests. This creates an unauthenticated local service that any process on the machine could interact with.
MEDIUM install.sh modifies home directory with symlinks and file copies -15 ▶
The install script creates symlinks from the skill directory into ~/.openclaw/skills/ and copies the Python adapter there, establishing persistent presence outside the audited skill directory.
MEDIUM Documentation references non-existent scripts and files -15 ▶
SKILL.md instructs users to run ./run_mcp.sh which does not exist in the repository. This could social-engineer users into creating or downloading this script from untrusted sources suggested by the skill author.
LOW Temp directory artifacts from JIT compilation -10 ▶
The install process created multiple .cjs files in /tmp/jiti/ which is a world-readable location. While this is likely jiti's normal behavior for TypeScript transpilation, these cached modules could be tampered with by other processes.
LOW Hardcoded author-specific path in Python adapter -5 ▶
The mcporter_adapter.py contains a hardcoded default path /Users/blitz/.openclaw/workspace/ revealing the original developer's username and suggesting the code was built with specific directory traversal patterns.
INFO Python adapter has undefined type hint (Dict) -5 ▶
mcporter_adapter.py uses Dict type hint without importing it from typing, indicating the code may not have been thoroughly tested and could fail at runtime in certain Python versions.