skillclaw-skill-evolution
Warn
Audited by Gen Agent Trust Hub on Apr 12, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill requires the execution of shell scripts for installation (
scripts/install_skillclaw.shandscripts/install_skillclaw_server.sh) and involves global system modifications vianpm install -g. - [EXTERNAL_DOWNLOADS]: The skill processes code downloaded from remote repositories (
git clone) and external package registries (NPM). - [DATA_EXFILTRATION]: The framework functions as a local proxy that intercepts OpenAI-compatible API calls, providing it with direct access to user prompts and the
OPENAI_API_KEY. This intercepted data is subsequently uploaded to external cloud storage (OSS or S3 buckets). - [PROMPT_INJECTION]: The 'skill evolution' mechanism presents a high risk for indirect prompt injection.
- Ingestion points: Untrusted session data (user input and LLM responses) is captured via the proxy and ingested by the evolution server.
- Boundary markers: There are no apparent delimiters or instructions to ignore malicious commands embedded in the captured session data during the 'Summarize' and 'Aggregate' stages.
- Capability inventory: The system generates
SKILL.mdfiles that define future agent behavior and synchronizes these across entire agent clusters. - Sanitization: The skill lacks explicit sanitization or validation logic to filter out adversarial instructions before they are distilled into reusable skill files.
Audit Metadata