Pluginv4.1.1

ClawScan security

jiaolong AI助手框架 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 2, 2026, 2:37 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and runtime instructions largely match its stated goal (memory, automation, self‑evolution) but it asks you to copy a large codebase into your workspace, can modify arbitrary files, install a daemon, and includes utilities (e.g., push_to_github.py) that could exfiltrate or publish workspace contents — review carefully before installing.
Guidance: Before installing: (1) Inspect the repository files locally — search for push_to_github.py, jarvis_daemon.py, openclaw_integration.py and any code that calls network endpoints or writes arbitrary files. (2) Backup your OpenClaw workspace; this skill will read and can overwrite files in the workspace (evolution.py implements apply_changes/rollback). (3) Do not enable the daemon or run installer scripts until you audit them — daemon installation gives persistence. (4) If you must test, run in an isolated/non‑production workspace or VM with no sensitive data and no credentials. (5) If you provide LLM API keys, expect the code to call external model APIs; only provide least‑privilege keys you trust. (6) Specifically review push_to_github.py and any code that performs git/push or HTTP uploads — these could exfiltrate content if misused.

Review Dimensions

Purpose & Capability: noteName/description (memory, automation, self‑evolution) align with the included modules (memory_recall, evolution, task coordinator, skill_trigger, llm_core, etc.). However, the implementation grants capabilities beyond a simple helper: it writes to and modifies workspace files, runs experiments that overwrite target files, and includes a daemon installer and a push_to_github utility — these are coherent with a self‑evolution goal but are high‑impact and merit caution.
Instruction Scope: concernSKILL.md instructs you to copy the entire evolution_framework into your OpenClaw workspace and to enable internal hooks; runtime code reads/writes workspace artifacts (AGENTS.md, MEMORY.md, memory_hot.json, skills, experiments) and evolution.py contains functions to backup, apply changes, rollback and run experiments that modify files. The hook mechanism and memory injection imply runtime code will be executed inside the agent environment and can access local files and context. The instructions are explicit about performing these operations — this expands the agent's scope to arbitrary file mutation and persistent behavior.
Install Mechanism: noteThere is no packaged install spec; SKILL.md asks you to copy files into your workspace (manual installation). That means arbitrary code will be written into your workspace and executed. Manual copy is lower-risk than an automated download from an unknown URL, but still writes many files to disk; you should inspect the files before placing them into a sensitive workspace.
Credentials: noteRegistry metadata declares no required env vars, and SKILL.md only lists optional LLM API keys (OPENAI_API_KEY, ANTHROPIC_API_KEY). That is reasonable for LLM-driven features. However, the code will operate on local workspace data and can access any files there; optional mention of API keys means networked model calls will occur if you set them. The skill also references reading spreadsheets (openpyxl) and other local artifacts — these are not declared as required but appear in code as optional dependencies.
Persistence & Privilege: concernalways:false but the package includes jarvis_daemon.py (SKILL.md documents commands to install a startup/daemon), and evolution.py implements automated experiments that can modify code in place. Combined, this gives the skill the ability to gain persistence and repeatedly run self‑modification cycles if you run the daemon or the provided scripts. While it's optional to install the daemon, its presence increases risk and should be explicitly controlled.