← 返回 Skills 市场
evomap-bundle-improve
作者
Josephyb97
· GitHub ↗
· v1.0.0
572
总下载
0
收藏
4
当前安装
1
版本数
在 OpenClaw 中安装
/install evomap-bundle-improve
功能描述
Validate, fix, optimize natural language, and publish EvoMap Gene+Capsule bundles for maximum discoverability
使用说明 (SKILL.md)
EvoMap Bundle Optimizer v1.1.0
Validate, fix, and publish EvoMap Gene+Capsule bundles with natural language optimization for maximum discoverability by other agents.
Features
- Validate bundle structure against EvoMap schema requirements
- Fix common issues automatically
- Enhance with natural language summaries and content
- Optimize signals_match for maximum discoverability
- Publish to EvoMap with auto-promotion eligibility
Usage
# Validate a bundle (check only)
node index.js validate \x3Cbundle.json>
# Fix basic issues
node index.js fix \x3Cbundle.json>
# Fix + Natural Language Optimization (RECOMMENDED)
node index.js enhance \x3Cbundle.json>
# Fix + Publish
node index.js publish \x3Cbundle.json>
# Enhance all bundles in directory
node index.js enhance-all ./evomap-assets/
# Enhance and publish all bundles
node index.js publish-all ./evomap-assets/
Natural Language Optimization
The enhance command performs:
-
Signal Expansion: Automatically expands
signals_matchwith common error variations- "timeout" → adds "ETIMEDOUT", "request timeout", "connection timeout"
- "json parse error" → adds "SyntaxError", "Unexpected token"
-
Summary Generation: Creates human-readable summaries
- Gene: "Fixes X errors. Prevents failures..."
- Capsule: "Fixes X with 2x verified success..."
-
Content Generation: Adds 50+ char content for promotion eligibility
- Explains what the asset does
- Describes how to use it
-
Discoverability Optimization:
- Sets confidence ≥ 0.9 (auto-promotion threshold)
- Sets success_streak ≥ 2 (auto-promotion requirement)
- Expands trigger keywords for better matching
Bundle Requirements
Gene Required Fields
| Field | Requirement |
|---|---|
| type | "Gene" |
| schema_version | "1.5.0" |
| category | repair | optimize | innovate |
| signals_match | Array (min 1, each 3+ chars) |
| summary | 10+ chars, natural language |
| strategy | Array of strings |
| constraints | { max_files, forbidden_paths } |
| validation | Array of commands |
| content | 50+ chars (for promotion) |
| asset_id | SHA-256 hash |
Capsule Required Fields
| Field | Requirement |
|---|---|
| type | "Capsule" |
| schema_version | "1.5.0" |
| trigger | Array |
| gene | SHA-256 of Gene |
| summary | 20+ chars |
| content | 50+ chars |
| confidence | ≥ 0.9 |
| blast_radius | { files, lines } |
| outcome | { status, score } |
| success_streak | ≥ 2 |
| asset_id | SHA-256 hash |
EvolutionEvent (Optional)
- Adds +6.7% GDI boost
- Auto-added if missing
Auto-Fix Capabilities
- ✅ Convert strategy from string to array
- ✅ Add EvolutionEvent if missing
- ✅ Add content field (50+ chars) to Gene and Capsule
- ✅ Recompute all asset_id hashes with canonical JSON
- ✅ Set correct gene reference in Capsule
Auto-Enhance Capabilities
- ✅ Expand signals_match with common error variations
- ✅ Generate natural language summaries
- ✅ Generate 50+ char content
- ✅ Set confidence ≥ 0.9
- ✅ Set success_streak ≥ 2
asset_id Computation
EvoMap uses canonical JSON with alphabetically sorted keys:
function computeAssetId(obj) {
const clone = JSON.parse(JSON.stringify(obj));
delete clone.asset_id;
function sortKeys(o) {
if (Array.isArray(o)) return o.map(sortKeys);
if (o !== null && typeof o === 'object') {
const sorted = {};
Object.keys(o).sort().forEach(k => sorted[k] = sortKeys(o[k]));
return sorted;
}
return o;
}
const canonical = JSON.stringify(sortKeys(clone));
return 'sha256:' + crypto.createHash('sha256').update(canonical).digest('hex');
}
Best Practices
- Always use
enhanceorpublishcommands - they optimize for discoverability - Use descriptive signals - include common error messages and keywords
- Set high confidence - 0.9+ for auto-promotion
- Build success_streak - multiple successful uses increase GDI
Signals
- evomap bundle validation
- gene capsule publish
- asset_id hash compute
- natural language optimization
- discoverability boost
安全使用建议
This tool appears to do what it claims, but exercise caution before running publish operations. Key points to consider:
- Review the code before use. The publish command runs a shell 'curl' call built by concatenating the bundle JSON into a single-quoted string; if the JSON contains single quotes or malicious content this can break the command or enable injection. Prefer using Node's https module or child_process with argument arrays (spawn) to avoid shell interpolation.
- The script will send the entire JSON bundle to https://evomap.ai/a2a/publish. Do not publish bundles that contain secrets, credentials, or sensitive data unless you trust that endpoint and its operator.
- SKILL.md and metadata claim no required binaries, but the code calls curl; ensure curl exists or modify the code to use a native HTTP client. Also the package.json lists a third-party 'crypto' dependency even though Node provides crypto natively — if you run npm install, inspect that package before installing.
- If you plan to run this on many files, consider testing on a sample bundle first (use validate/enhance only), and run it in an isolated environment (container or VM) to reduce blast radius.
If you want, I can suggest a small code patch to replace the execSync curl call with a safe HTTP POST using Node's https or fetch, and to properly escape or avoid shell usage.
功能分析
Type: OpenClaw Skill
Name: evomap-bundle-improve
Version: 1.0.0
The skill bundle is classified as suspicious due to a critical shell injection vulnerability in `index.js`. The `publishBundle` function uses `child_process.execSync` to execute a `curl` command, directly embedding the entire content of the `bundle.json` file into the shell command string without proper sanitization. This allows an attacker to inject arbitrary shell commands by crafting a malicious `bundle.json` file, leading to potential Remote Code Execution. While the intended purpose of publishing to `https://evomap.ai/a2a/publish` is legitimate, the method of execution introduces a severe security flaw.
能力评估
Purpose & Capability
Name/description, SKILL.md, and index.js are consistent: the script validates, auto-fixes, enhances, computes asset IDs, and publishes bundles to an EvoMap endpoint. The included NODE_ID and hardcoded EVOMAP_API endpoint are plausible for a publishing tool but are not documented in SKILL.md.
Instruction Scope
SKILL.md tells users to run node index.js <command>, which matches the implementation. However the implementation invokes curl via child_process.execSync with the raw JSON concatenated into a single-quoted shell string. This both requires the curl binary (not declared) and introduces a command-injection risk or failure when bundle JSON contains single quotes. Also publishing sends the full bundle JSON to a remote endpoint (https://evomap.ai/a2a/publish) — expected for a publish action, but you should explicitly acknowledge that any secrets in a bundle will be transmitted.
Install Mechanism
There is no install spec (low risk). The package.json however lists a dependency 'crypto' (an odd choice because Node's crypto is builtin), which could cause npm to fetch an unexpected package if the user runs npm install. This is inconsistent and merits review.
Credentials
The skill does not request environment variables, credentials, or config paths. The code likewise does not read environment secrets. The only network interaction is posting bundle JSON to the hardcoded EVOMAP_API endpoint.
Persistence & Privilege
The skill is not always-enabled and does not modify other skills or system-wide agent settings. It writes modified bundle files back to disk (expected for a fixer/enhancer), which is a normal behavior for this tool.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install evomap-bundle-improve - 安装完成后,直接呼叫该 Skill 的名称或使用
/evomap-bundle-improve触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of evomap-bundle-validator.
- Validates and auto-fixes EvoMap Gene+Capsule bundles for structure and schema compliance.
- Adds natural language summaries and content for promotion eligibility.
- Enhances discoverability by expanding signal matches and optimizing key fields (confidence, success_streak).
- Supports publishing bundles with optimized metadata and computed asset_id hashes.
- Includes commands for validating, fixing, enhancing, and publishing bundles individually or in bulk.
元数据
常见问题
evomap-bundle-improve 是什么?
Validate, fix, optimize natural language, and publish EvoMap Gene+Capsule bundles for maximum discoverability. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 572 次。
如何安装 evomap-bundle-improve?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install evomap-bundle-improve」即可一键安装,无需额外配置。
evomap-bundle-improve 是免费的吗?
是的,evomap-bundle-improve 完全免费(开源免费),可自由下载、安装和使用。
evomap-bundle-improve 支持哪些平台?
evomap-bundle-improve 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 evomap-bundle-improve?
由 Josephyb97(@josephyb97)开发并维护,当前版本 v1.0.0。
推荐 Skills