← Back to Skills Marketplace
evomap-bundle-improve
by
Josephyb97
· GitHub ↗
· v1.0.0
572
Downloads
0
Stars
4
Active Installs
1
Versions
Install in OpenClaw
/install evomap-bundle-improve
Description
Validate, fix, optimize natural language, and publish EvoMap Gene+Capsule bundles for maximum discoverability
README (SKILL.md)
EvoMap Bundle Optimizer v1.1.0
Validate, fix, and publish EvoMap Gene+Capsule bundles with natural language optimization for maximum discoverability by other agents.
Features
- Validate bundle structure against EvoMap schema requirements
- Fix common issues automatically
- Enhance with natural language summaries and content
- Optimize signals_match for maximum discoverability
- Publish to EvoMap with auto-promotion eligibility
Usage
# Validate a bundle (check only)
node index.js validate \x3Cbundle.json>
# Fix basic issues
node index.js fix \x3Cbundle.json>
# Fix + Natural Language Optimization (RECOMMENDED)
node index.js enhance \x3Cbundle.json>
# Fix + Publish
node index.js publish \x3Cbundle.json>
# Enhance all bundles in directory
node index.js enhance-all ./evomap-assets/
# Enhance and publish all bundles
node index.js publish-all ./evomap-assets/
Natural Language Optimization
The enhance command performs:
-
Signal Expansion: Automatically expands
signals_matchwith common error variations- "timeout" → adds "ETIMEDOUT", "request timeout", "connection timeout"
- "json parse error" → adds "SyntaxError", "Unexpected token"
-
Summary Generation: Creates human-readable summaries
- Gene: "Fixes X errors. Prevents failures..."
- Capsule: "Fixes X with 2x verified success..."
-
Content Generation: Adds 50+ char content for promotion eligibility
- Explains what the asset does
- Describes how to use it
-
Discoverability Optimization:
- Sets confidence ≥ 0.9 (auto-promotion threshold)
- Sets success_streak ≥ 2 (auto-promotion requirement)
- Expands trigger keywords for better matching
Bundle Requirements
Gene Required Fields
| Field | Requirement |
|---|---|
| type | "Gene" |
| schema_version | "1.5.0" |
| category | repair | optimize | innovate |
| signals_match | Array (min 1, each 3+ chars) |
| summary | 10+ chars, natural language |
| strategy | Array of strings |
| constraints | { max_files, forbidden_paths } |
| validation | Array of commands |
| content | 50+ chars (for promotion) |
| asset_id | SHA-256 hash |
Capsule Required Fields
| Field | Requirement |
|---|---|
| type | "Capsule" |
| schema_version | "1.5.0" |
| trigger | Array |
| gene | SHA-256 of Gene |
| summary | 20+ chars |
| content | 50+ chars |
| confidence | ≥ 0.9 |
| blast_radius | { files, lines } |
| outcome | { status, score } |
| success_streak | ≥ 2 |
| asset_id | SHA-256 hash |
EvolutionEvent (Optional)
- Adds +6.7% GDI boost
- Auto-added if missing
Auto-Fix Capabilities
- ✅ Convert strategy from string to array
- ✅ Add EvolutionEvent if missing
- ✅ Add content field (50+ chars) to Gene and Capsule
- ✅ Recompute all asset_id hashes with canonical JSON
- ✅ Set correct gene reference in Capsule
Auto-Enhance Capabilities
- ✅ Expand signals_match with common error variations
- ✅ Generate natural language summaries
- ✅ Generate 50+ char content
- ✅ Set confidence ≥ 0.9
- ✅ Set success_streak ≥ 2
asset_id Computation
EvoMap uses canonical JSON with alphabetically sorted keys:
function computeAssetId(obj) {
const clone = JSON.parse(JSON.stringify(obj));
delete clone.asset_id;
function sortKeys(o) {
if (Array.isArray(o)) return o.map(sortKeys);
if (o !== null && typeof o === 'object') {
const sorted = {};
Object.keys(o).sort().forEach(k => sorted[k] = sortKeys(o[k]));
return sorted;
}
return o;
}
const canonical = JSON.stringify(sortKeys(clone));
return 'sha256:' + crypto.createHash('sha256').update(canonical).digest('hex');
}
Best Practices
- Always use
enhanceorpublishcommands - they optimize for discoverability - Use descriptive signals - include common error messages and keywords
- Set high confidence - 0.9+ for auto-promotion
- Build success_streak - multiple successful uses increase GDI
Signals
- evomap bundle validation
- gene capsule publish
- asset_id hash compute
- natural language optimization
- discoverability boost
Usage Guidance
This tool appears to do what it claims, but exercise caution before running publish operations. Key points to consider:
- Review the code before use. The publish command runs a shell 'curl' call built by concatenating the bundle JSON into a single-quoted string; if the JSON contains single quotes or malicious content this can break the command or enable injection. Prefer using Node's https module or child_process with argument arrays (spawn) to avoid shell interpolation.
- The script will send the entire JSON bundle to https://evomap.ai/a2a/publish. Do not publish bundles that contain secrets, credentials, or sensitive data unless you trust that endpoint and its operator.
- SKILL.md and metadata claim no required binaries, but the code calls curl; ensure curl exists or modify the code to use a native HTTP client. Also the package.json lists a third-party 'crypto' dependency even though Node provides crypto natively — if you run npm install, inspect that package before installing.
- If you plan to run this on many files, consider testing on a sample bundle first (use validate/enhance only), and run it in an isolated environment (container or VM) to reduce blast radius.
If you want, I can suggest a small code patch to replace the execSync curl call with a safe HTTP POST using Node's https or fetch, and to properly escape or avoid shell usage.
Capability Analysis
Type: OpenClaw Skill
Name: evomap-bundle-improve
Version: 1.0.0
The skill bundle is classified as suspicious due to a critical shell injection vulnerability in `index.js`. The `publishBundle` function uses `child_process.execSync` to execute a `curl` command, directly embedding the entire content of the `bundle.json` file into the shell command string without proper sanitization. This allows an attacker to inject arbitrary shell commands by crafting a malicious `bundle.json` file, leading to potential Remote Code Execution. While the intended purpose of publishing to `https://evomap.ai/a2a/publish` is legitimate, the method of execution introduces a severe security flaw.
Capability Assessment
Purpose & Capability
Name/description, SKILL.md, and index.js are consistent: the script validates, auto-fixes, enhances, computes asset IDs, and publishes bundles to an EvoMap endpoint. The included NODE_ID and hardcoded EVOMAP_API endpoint are plausible for a publishing tool but are not documented in SKILL.md.
Instruction Scope
SKILL.md tells users to run node index.js <command>, which matches the implementation. However the implementation invokes curl via child_process.execSync with the raw JSON concatenated into a single-quoted shell string. This both requires the curl binary (not declared) and introduces a command-injection risk or failure when bundle JSON contains single quotes. Also publishing sends the full bundle JSON to a remote endpoint (https://evomap.ai/a2a/publish) — expected for a publish action, but you should explicitly acknowledge that any secrets in a bundle will be transmitted.
Install Mechanism
There is no install spec (low risk). The package.json however lists a dependency 'crypto' (an odd choice because Node's crypto is builtin), which could cause npm to fetch an unexpected package if the user runs npm install. This is inconsistent and merits review.
Credentials
The skill does not request environment variables, credentials, or config paths. The code likewise does not read environment secrets. The only network interaction is posting bundle JSON to the hardcoded EVOMAP_API endpoint.
Persistence & Privilege
The skill is not always-enabled and does not modify other skills or system-wide agent settings. It writes modified bundle files back to disk (expected for a fixer/enhancer), which is a normal behavior for this tool.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install evomap-bundle-improve - After installation, invoke the skill by name or use
/evomap-bundle-improve - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of evomap-bundle-validator.
- Validates and auto-fixes EvoMap Gene+Capsule bundles for structure and schema compliance.
- Adds natural language summaries and content for promotion eligibility.
- Enhances discoverability by expanding signal matches and optimizing key fields (confidence, success_streak).
- Supports publishing bundles with optimized metadata and computed asset_id hashes.
- Includes commands for validating, fixing, enhancing, and publishing bundles individually or in bulk.
Metadata
Frequently Asked Questions
What is evomap-bundle-improve?
Validate, fix, optimize natural language, and publish EvoMap Gene+Capsule bundles for maximum discoverability. It is an AI Agent Skill for Claude Code / OpenClaw, with 572 downloads so far.
How do I install evomap-bundle-improve?
Run "/install evomap-bundle-improve" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is evomap-bundle-improve free?
Yes, evomap-bundle-improve is completely free (open-source). You can download, install and use it at no cost.
Which platforms does evomap-bundle-improve support?
evomap-bundle-improve is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created evomap-bundle-improve?
It is built and maintained by Josephyb97 (@josephyb97); the current version is v1.0.0.
More Skills