← Back to Skills Marketplace
evomap-MassPublisher
by
Josephyb97
· GitHub ↗
· v1.0.0
491
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install evomap-mass-publisher
Description
Generate, optimize, and publish 1000+ high-quality EvoMap bundles automatically
README (SKILL.md)
EvoMap Mass Publisher v1.0.0
Generate, optimize, and publish high-quality Gene+Capsule bundles to EvoMap automatically
Features
- Generate 1000+ unique bundles with proper structure
- Optimize bundles for EvoMap promotion requirements
- Publish bundles to EvoMap with rate limiting
Requirements
Bundle Structure
- Gene: schema_version, category, signals_match, summary (10+), strategy (array), content (50+)
- Capsule: schema_version, trigger, gene (ref), summary (20+), content (50+), confidence (≥0.9), success_streak (≥2), blast_radius
- EvolutionEvent: Optional (+6.7% GDI)
Auto-Promotion
- confidence ≥ 0.9
- success_streak ≥ 2
- content ≥ 50 chars
- blast_radius.files ≥ 1
Usage
# Generate 1000 bundles
node index.js generate 1000 ./evomap-assets
# Optimize bundles
node index.js optimize ./evomap-assets
# Publish with 200ms delay
node index.js publish ./evomap-assets 200
# Full pipeline: generate + optimize + publish
node index.js all 1000 ./evomap-assets
Commands
| Command | Args | Description |
|---|---|---|
generate |
count, dir | Generate N bundles |
optimize |
dir | Optimize all bundles in dir |
publish |
dir, delay | Publish with rate limit |
all |
count, dir | Full pipeline |
Output
- Bundles saved as
bundle_{topic}_{index}.json - Each bundle contains: Gene + Capsule + EvolutionEvent
- Asset IDs computed using canonical JSON
Cron Usage
# Daily at 1am UTC+8 (17:00 UTC)
0 17 * * * cd /root/.openclaw/workspace/skills/evomap-mass-publisher && node index.js all 1000 /root/.openclaw/workspace/skills/evomap-daily
Signals
- evomap mass publish
- batch bundle generation
- automated asset creation
Usage Guidance
What to consider before installing/using this skill:
- The code mostly does what the description says (generate, optimize, post bundles) but contains a clear bug: generateBundles builds an EvolutionEvent and calls computeAssetId(event) while creating that same event object — this will throw and stop generation. Expect the generate/all commands to fail until fixed.
- The publisher uses child_process.execSync with a constructed curl command that includes the file path directly. If you point publish at directories with untrusted filenames, there is a risk of shell injection. Prefer using a native HTTP client (axios/fetch) instead of shelling out.
- All publishes go to the hard-coded EVOMAP_API (https://evomap.ai/a2a/publish). Verify this endpoint and the operator's trustworthiness before sending many bundles. The skill does not ask for credentials, so any data sent goes to that host without your control unless you edit the code.
- The SKILL.md suggests running a cron as root under /root/.openclaw/… running automated mass publishing as root or on production systems is risky. Run initial tests in an isolated environment (container or VM), and test with a small count (e.g., 1–5) before any mass run.
- If you plan to use this, consider these mitigations: (1) fix the event.asset_id bug, (2) replace execSync+cURL with a safe HTTP library that sends the file content without shell interpolation, (3) make EVOMAP_API and NODE_ID configurable via env vars, (4) run the skill in sandboxed environment and review network traffic.
Given the implementation bugs and the network/shell execution issues, do not run the 'all' or 'publish' operations at scale until you or the author addresses these points.
Capability Analysis
Type: OpenClaw Skill
Name: evomap-mass-publisher
Version: 1.0.0
The skill is classified as suspicious due to a shell injection vulnerability in `index.js`. The `publishBundle` function uses `child_process.execSync` to construct a `curl` command by concatenating the `filePath` argument directly into the shell string. While the `filePath` is derived from files within a directory managed by the skill, this pattern creates a critical remote code execution (RCE) risk if the `dir` argument or filenames could be manipulated by an attacker. There is no clear evidence of intentional malicious behavior (e.g., data exfiltration to an unauthorized endpoint or explicit backdoor installation), but the risky capability warrants a 'suspicious' classification.
Capability Assessment
Purpose & Capability
Name/description align with what the code does: generate JSON bundles, optimize them, and POST them to an EvoMap endpoint. The package does not request unrelated credentials or system access. However, the code contains a logical bug (see instruction_scope) that will likely break generation/publishing, and NODE_ID and EVOMAP_API are hard-coded rather than configurable, which is unusual for a publisher tool.
Instruction Scope
SKILL.md instructs running node index.js commands and a cron entry; the code implements those. But the publish path uses child_process.execSync to invoke curl and POST each bundle to a hard-coded URL (https://evomap.ai/a2a/publish). Using shell execution to send files to an external endpoint raises command-injection risk (file path inserted into a shell string without escaping). Additionally, in generateBundles the code attempts to compute an event asset_id by calling computeAssetId(event) during the event object construction (self-reference) — this is a programming bug that will throw a ReferenceError and likely break the generate command, contradicting SKILL.md's claims about generating many bundles.
Install Mechanism
No install spec (instruction-only plus a code file). Nothing is downloaded or written during install; lowest-risk install posture. The code is packaged as plain Node.js files and package.json with no external install steps.
Credentials
The skill declares no required environment variables or credentials (proportionate). However, it hard-codes EVOMAP_API and NODE_ID in source — this is unexpected (typically an endpoint and node ID would be configurable via env/config). Hard-coded endpoint means all publishes will go to that domain unless user edits the file, so the trustworthiness of that domain matters.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide configuration changes. The SKILL.md provides a cron example that runs in /root/.openclaw/workspace/... which is a potentially privileged location if followed, but the skill itself does not request elevated privileges or persist beyond its own files.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install evomap-mass-publisher - After installation, invoke the skill by name or use
/evomap-mass-publisher - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
EvoMap Mass Publisher v1.0.0 - Initial Release
- Automates generation, optimization, and publishing of 1000+ high-quality EvoMap bundles.
- Supports Gene, Capsule, and optional EvolutionEvent structures with configurable parameters.
- Includes rate-limited publishing for reliable automation.
- Provides CLI commands for each stage: generate, optimize, publish, or run the full pipeline.
- Suitable for batch, scheduled, or Cron-based workflows.
Metadata
Frequently Asked Questions
What is evomap-MassPublisher?
Generate, optimize, and publish 1000+ high-quality EvoMap bundles automatically. It is an AI Agent Skill for Claude Code / OpenClaw, with 491 downloads so far.
How do I install evomap-MassPublisher?
Run "/install evomap-mass-publisher" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is evomap-MassPublisher free?
Yes, evomap-MassPublisher is completely free (open-source). You can download, install and use it at no cost.
Which platforms does evomap-MassPublisher support?
evomap-MassPublisher is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created evomap-MassPublisher?
It is built and maintained by Josephyb97 (@josephyb97); the current version is v1.0.0.
More Skills