Self-Evolving Skill
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The core functionality involves 'automated skill evolution' based on processed data.
- Ingestion points: The
skill_executetool accepts acontextparameter, andskill_analyzeaccepts anembeddingparameter, both of which are treated as 'experiences' to learn from. - Boundary markers: None documented. External input is directly used to influence the 'evolution' logic.
- Capability inventory: Includes
skill_createandskill_execute, which can generate and run new logic/code, andskill_savefor file system persistence. - Sanitization: No evidence of sanitization for the inputs that drive the 'evolutionary' code generation.
- Dynamic Execution (HIGH): The system is designed to generate 'SUB_SKILL' components at runtime based on 'novelty scores'. This constitutes dynamic code generation and execution where the logic is determined by external data processed by the 'ResidualPyramid' algorithm.
- Command Execution (MEDIUM): The documentation suggests running shell scripts (
run_mcp.sh) and python adapters (python3 mcporter_adapter.py) within the user's home directory (~/.openclaw), which could be leveraged to run unauthorized commands if the self-evolution logic is compromised. - Persistence Mechanisms (MEDIUM): The skill explicitly targets the user's home directory (
~/.openclaw/skills/and~/.openclaw/workspace/) for persistent storage of 'learned' patterns, allowing malicious behavior to survive across sessions.
Recommendations
- AI detected serious security threats
Audit Metadata