← Back to Skills Marketplace
343
Downloads
0
Stars
4
Active Installs
2
Versions
Install in OpenClaw
/install skill-auto-evolver
Description
Analyze and improve OpenClaw agent skills by tracking usage, checking skill health, scanning code quality, and generating actionable improvement suggestions....
Usage Guidance
This package appears to implement the advertised analyzer/monitor/reporter functionality, but I found multiple red flags you should consider before installing:
- Source verification: the package's source/homepage is 'unknown' and the registry listed it as instruction-only while the bundle contains code. Prefer installing only from a trusted repository (official OpenClaw repo or a verified release).
- Local data access: the tool reads all files under the skills directory (default ~/.openclaw/skills) and writes a SQLite DB to ~/.openclaw/skill-evolver/skill_evolver.db. That is expected for this tool, but any sensitive data accidentally stored inside a skill (API keys, tokens, credentials) could be read and stored in the DB. Inspect your skills for secrets before running a bulk analysis.
- Code quality bugs: there are clear implementation issues (examples: truncated/buggy return in database.add_feedback returning an undefined variable 'c'; some function calls in CLI/reporter reference methods like get_all_skills or get_feedback_stats that are not visible in the truncated model and may be missing or buggy). These likely lead to runtime errors. Treat the tool as experimental until you run it in a safe environment.
- Installation and execution: because the registry lacks an install spec, prefer installing into a virtualenv, container, or isolated machine. Install dependencies (pip install -r requirements.txt) only after reviewing the code locally.
- Mitigations: run the CLI with a non-default skills_dir pointing to a copy of the skills you want to test, inspect the generated DB file, and avoid running as root. If you intend to use it widely, request the upstream source, check commit history, and run tests in a sandbox.
If you can provide the canonical source URL (GitHub repo or release tarball) and confirm whether all referenced DB and helper methods are implemented, I can raise or lower the risk assessment. In particular, evidence of networking code, undisclosed external endpoints, or hidden credential access would increase the severity.
Capability Analysis
Type: OpenClaw Skill
Name: skill-auto-evolver
Version: 0.1.1
The skill bundle provides a utility for monitoring and analyzing OpenClaw skills, but it contains a SQL injection vulnerability in 'database/models.py' where the 'days' parameter is inserted into SQLite queries using string formatting rather than parameterization. While the tool's ability to read and analyze all files in the '~/.openclaw/skills' directory is aligned with its stated purpose of code quality analysis, this represents a high-privilege capability. No evidence of intentional malice, data exfiltration, or backdoors was identified.
Capability Assessment
Purpose & Capability
The name/description (analyzer/monitor/reporter for skills) aligns with the included code: it inspects SKILL.md, package.json and Python code, records usage, and generates reports. However the registry/manifest states 'No install spec — instruction-only' while the package includes code, package.json, requirements.txt and a CLI; that mismatch is an inconsistency. The README and SKILL.md suggest installation via 'clawhub install', but no install spec exists in the registry metadata.
Instruction Scope
Runtime instructions and the CLI drive local analysis: reading skill directories (defaults to ~/.openclaw/skills), parsing SKILL.md, package.json and Python source, and writing reports/databases under the user home (~/.openclaw/skill-evolver). Those actions are expected for this tool. Caveat: because it reads arbitrary files under the skills directory, it can access any accidentally stored secrets or configuration present in other skills; the behavior is coherent with the stated purpose but may expose sensitive data if skills store credentials in their repos.
Install Mechanism
There is no install spec in the registry but the bundle includes code, requirements.txt, and package.json. That absence of an explicit install mechanism is inconsistent and increases risk (user guidance suggests 'clawhub install' or pip install -r requirements.txt). The presence of package.json (a Node metadata file) in a Python project is odd but not malicious by itself. No network downloads or external installers are present in the provided code.
Credentials
The skill requests no environment variables or external credentials. It stores data locally under the user's home (~/.openclaw/skill-evolver) and reads from ~/.openclaw/skills by default. No access to unrelated cloud credentials, tokens, or system-wide config paths is requested.
Persistence & Privilege
always is false and the skill does not request elevated privileges; it persists a SQLite DB in the user's home directory (expected for a monitoring/reporting tool). Autonomous invocation is allowed by default (normal), but there is no evidence of modifications to other skills' configs or system-wide changes.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install skill-auto-evolver - After installation, invoke the skill by name or use
/skill-auto-evolver - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.1
Rename the skill to skill-auto-evolver and align the published SKILL.md, install command, CLI command, and package metadata with the new name.
v0.1.0
Initial release of skill-auto-evolver.
- Provides a Python CLI tool for automatic monitoring, analysis, and optimization of Agent Skills.
- Tracks usage statistics, evaluates skill health, analyzes code quality, and generates improvement suggestions.
- Supports exporting reports in JSON, Markdown, and HTML formats.
- Includes a Python API for integration with existing skills.
- Offers detailed CLI commands for usage tracking, feedback submission, reporting, and data management.
- Stores data locally using SQLite3.
Metadata
Frequently Asked Questions
What is Skill Auto Evolver?
Analyze and improve OpenClaw agent skills by tracking usage, checking skill health, scanning code quality, and generating actionable improvement suggestions.... It is an AI Agent Skill for Claude Code / OpenClaw, with 343 downloads so far.
How do I install Skill Auto Evolver?
Run "/install skill-auto-evolver" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Skill Auto Evolver free?
Yes, Skill Auto Evolver is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Skill Auto Evolver support?
Skill Auto Evolver is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Skill Auto Evolver?
It is built and maintained by haidong (@harrylabsj); the current version is v0.1.1.
More Skills