Back to skill

Security audit

Capability Evolver Zc

Security checks across malware telemetry and agentic risk

Overview

This skill is a real self-evolution tool, but it grants broad autonomous control over local code, background execution, updates, and external network reporting that users should review before installing.

Install only if you want an autonomous self-evolution agent that can inspect local agent history, affect repository state, contact EvoMap and GitHub, run in the background, and update installed skills. Before running it, review the config and consider disabling EVOLVE_BRIDGE, EVOLVER_AUTO_ISSUE, autoUpdate, A2A/worker settings, and any broad tokens unless those capabilities are explicitly intended.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (80)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation advertises and configures environment-variable and network-based behavior, including external hub communication, but does not declare corresponding permissions. This creates a transparency and governance gap: operators may grant or execute the skill without realizing it can reach external services and consume sensitive environment configuration.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The stated purpose frames the skill as local self-evolution, but the described behavior extends into external A2A networking, asset exchange, task claiming, publishing, GitHub automation, release operations, and lifecycle management. That mismatch is dangerous because users may trust or install the skill under a much narrower threat model than the one its actual capabilities require.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Automatic GitHub issue creation introduces outbound transmission of runtime-derived data to a third-party service, which expands the trust boundary beyond the stated self-evolution purpose. Even with sanitization claims, logs and environment-derived metadata are notoriously difficult to redact perfectly, so this can leak sensitive operational details or create unexpected external actions when enabled by default.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The README documents automatic submission of GitHub issues containing environment and log-derived failure information to an external repository. Even with redaction claims, this creates an explicit outbound data-exfiltration path from a self-evolving agent, and log/error data is often difficult to sanitize reliably. In this skill context, autonomous diagnostics plus network reporting is more dangerous because the engine already processes runtime history and may surface sensitive operational details.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Automatic GitHub issue creation is not necessary for core self-evolution/log-analysis behavior and expands the skill's authority into external communications. That capability can be abused or accidentally triggered to leak internal failures, metadata, or repository details, especially in an autonomous loop. The mismatch between stated purpose and outbound reporting makes the feature higher risk in this context.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The review flow invokes repository-wide git subprocesses (`git diff`, `git checkout -- .`, `git clean -fd`) over the entire repo, which gives the skill broad command and file-manipulation capability beyond merely analyzing runtime history. In a self-evolving agent, this is especially risky because generated or automated decisions could trigger destructive rollback of unrelated work or expose repository contents through diffs without strong scoping or confirmation barriers.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The daemon can respawn itself as a detached background process and continue running indefinitely, which expands persistence and autonomy beyond the declared evolution function. That persistence makes misuse harder to notice or stop, and if upstream evolution logic is compromised, the process can repeatedly re-launch and sustain unwanted behavior.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
When run with --persist, the script does not merely format data for export; it actively transmits hello/publish messages over a transport via getTransport().send(...). Because the assets include capsules, genes, and optionally evolution events, this creates a real data exfiltration path from an agent self-evolution system, and the script provides no authentication, destination validation, confirmation prompt, or audit disclosure at the send point.

Context-Inappropriate Capability

Medium
Confidence
72% confidence
Finding
The imported A2A export/publication modules show that this skill includes outbound sharing capability beyond the stated purpose of analyzing runtime history and applying constrained evolution. In this context, adding export primitives materially increases attack surface and the chance that sensitive internal evolution state, capabilities, or telemetry are disclosed to external systems.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The code performs autonomous maintenance actions, including session cleanup, archival, and especially automatic package updates via `checkAndAutoUpdate()`, which goes beyond passive analysis and constrained evolution. In an agent skill, self-modifying or externally updating behavior increases supply-chain and integrity risk because the skill can change its own operational environment without explicit user approval at execution time.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
`execSync(process.env.INTEGRATION_STATUS_CMD, ...)` executes a shell command fully controlled by an environment variable. Any attacker who can influence environment configuration can achieve arbitrary command execution under the agent's privileges, making this a direct command injection / unsafe execution sink.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The auto-update logic shells out to `clawhub update ... --force` for external components, enabling unattended code changes from an external package source. Even if intended for maintenance, this creates supply-chain risk and can introduce malicious or breaking code into the running agent environment without review.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This protocol module does more than local message formatting and transport: it performs hub registration, persistent authentication secret handling, periodic heartbeat telemetry, and remote work polling. In a self-evolution engine, that materially expands the trust boundary and enables unsolicited external coordination or control paths, which is dangerous if operators expect only local or peer message handling.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The module imports environment fingerprinting and device ID functionality, then includes environment fingerprint data in hello messages and derives a stable node identity from device characteristics, agent name, and working directory. This creates host-identifying telemetry and persistent tracking capability beyond what is necessary for basic protocol messaging, increasing privacy and operational risk.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The heartbeat advertises worker availability, domains, and load capacity, and stores server-provided available work for later consumption. For a self-evolving agent, this introduces a remote orchestration surface that can steer behavior or distribute tasks outside the declared protocol scope, making compromise or misuse of the hub more consequential.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The code derives a stable device identifier from host-unique sources such as /etc/machine-id, macOS IOPlatformUUID, container IDs, hostname, and MAC addresses, then persists it for reuse. For a skill described as analyzing runtime history for self-evolution, this host fingerprinting is broader than necessary and creates an unnecessary persistent tracking primitive that could be used to correlate runs, hosts, or operators across sessions.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The darwin fallback executes ioreg to retrieve IOPlatformUUID, which accesses a hardware-tied identifier not needed for the stated capability. Invoking a platform command to extract persistent host identity increases privacy risk and host correlation capability, especially because the resulting ID is normalized into a reusable stable token.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
This section loads, generates, caches, and persists a stable node identity via environment variables and hidden files, which materially extends the skill beyond runtime-history analysis into host identity management. That mismatch matters because persistent identity can enable long-term tracking and cross-project correlation without clear necessity or user awareness.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code collects multiple stable host identifiers, including a device ID plus hashed hostname and working directory, and embeds them into artifacts for comparison and grouping. Even though some fields are hashed or truncated, they still act as persistent pseudonymous identifiers that can enable host tracking beyond what is necessary for simple environment compatibility checks.

Intent-Code Divergence

Low
Confidence
75% confidence
Finding
The comments describe the feature as scientific environment measurement, but the implementation also captures stable host-linked identifiers. This framing can obscure the privacy significance of the data collection and reduce scrutiny, increasing the chance that sensitive fingerprinting is propagated into capsules or reports without informed review.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This file adds outbound review submission to an external Hub and persists review history locally, which is broader than the stated skill purpose of runtime-history analysis and constrained evolution. Even if the feature is legitimate, it creates an additional data egress and stateful side effect surface that could leak operational metadata about reused assets, outcomes, signals, or gene identifiers to a remote service.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The code implements a feedback/review channel to a Hub service without clear justification from the described skill scope. Because the review content includes outcome details, signals, blast-radius information, and gene metadata, it can disclose internal execution context to an external endpoint and introduce an unexpected exfiltration path.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This code expands the skill from local runtime-history analysis into credentialed outbound network access to a remote hub, which materially changes the trust boundary and attack surface. Even if intended for legitimate asset reuse, it enables external data transfer and remote influence over evolution behavior without any visible restriction in this file.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill reads bearer credentials from environment/configuration and sends them to an external service, creating a secret-handling and exfiltration risk if the endpoint is misconfigured, attacker-controlled, or broader than intended. For a skill described as self-evolution from runtime history, this credentialed remote access is a significant capability increase that deserves tighter controls.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The module performs unsolicited external network actions by creating GitHub issues, which expands the skill from local self-evolution into outbound data publication. In this context, that is dangerous because runtime failures, logs, and environment metadata are automatically transmitted to a third party, creating an exfiltration and scope-creep risk even if the feature is intended for observability.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.exposed_secret_literal (+1 more)

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
index.js:164

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/build_public.js:170

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/generate_history.js:17

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/publish_public.js:13

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/recover_loop.js:19

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/suggest_version.js:27

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/evolve.js:279

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/gep/llmReview.js:70

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/gep/solidify.js:66

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/ops/health_check.js:20

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/ops/lifecycle.js:27

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/ops/self_repair.js:17

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/ops/skills_monitor.js:96

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/gep/a2aProtocol.js:75

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/gep/hubReview.js:104

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/gep/hubSearch.js:19

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/gep/issueReporter.js:21

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/gep/memoryGraphAdapter.js:77

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/gep/taskReceiver.js:11

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
test/sanitize.test.js:12

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
src/gep/a2aProtocol.js:409