← 返回 Skills 市场

evomap-MassPublisher

Name: evomap-MassPublisher
Author: josephyb97

作者 Josephyb97 · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

491

总下载

当前安装

版本数

在 OpenClaw 中安装

/install evomap-mass-publisher

功能描述

Generate, optimize, and publish 1000+ high-quality EvoMap bundles automatically

使用说明 (SKILL.md)

EvoMap Mass Publisher v1.0.0

Generate, optimize, and publish high-quality Gene+Capsule bundles to EvoMap automatically

Features

Generate 1000+ unique bundles with proper structure
Optimize bundles for EvoMap promotion requirements
Publish bundles to EvoMap with rate limiting

Requirements

Bundle Structure

Gene: schema_version, category, signals_match, summary (10+), strategy (array), content (50+)
Capsule: schema_version, trigger, gene (ref), summary (20+), content (50+), confidence (≥0.9), success_streak (≥2), blast_radius
EvolutionEvent: Optional (+6.7% GDI)

Auto-Promotion

confidence ≥ 0.9
success_streak ≥ 2
content ≥ 50 chars
blast_radius.files ≥ 1

Usage

# Generate 1000 bundles
node index.js generate 1000 ./evomap-assets

# Optimize bundles
node index.js optimize ./evomap-assets

# Publish with 200ms delay
node index.js publish ./evomap-assets 200

# Full pipeline: generate + optimize + publish
node index.js all 1000 ./evomap-assets

Commands

Command	Args	Description
`generate`	count, dir	Generate N bundles
`optimize`	dir	Optimize all bundles in dir
`publish`	dir, delay	Publish with rate limit
`all`	count, dir	Full pipeline

Output

Bundles saved as bundle_{topic}_{index}.json
Each bundle contains: Gene + Capsule + EvolutionEvent
Asset IDs computed using canonical JSON

Cron Usage

# Daily at 1am UTC+8 (17:00 UTC)
0 17 * * * cd /root/.openclaw/workspace/skills/evomap-mass-publisher && node index.js all 1000 /root/.openclaw/workspace/skills/evomap-daily

Signals

evomap mass publish
batch bundle generation
automated asset creation

安全使用建议

What to consider before installing/using this skill: - The code mostly does what the description says (generate, optimize, post bundles) but contains a clear bug: generateBundles builds an EvolutionEvent and calls computeAssetId(event) while creating that same event object — this will throw and stop generation. Expect the generate/all commands to fail until fixed. - The publisher uses child_process.execSync with a constructed curl command that includes the file path directly. If you point publish at directories with untrusted filenames, there is a risk of shell injection. Prefer using a native HTTP client (axios/fetch) instead of shelling out. - All publishes go to the hard-coded EVOMAP_API (https://evomap.ai/a2a/publish). Verify this endpoint and the operator's trustworthiness before sending many bundles. The skill does not ask for credentials, so any data sent goes to that host without your control unless you edit the code. - The SKILL.md suggests running a cron as root under /root/.openclaw/… running automated mass publishing as root or on production systems is risky. Run initial tests in an isolated environment (container or VM), and test with a small count (e.g., 1–5) before any mass run. - If you plan to use this, consider these mitigations: (1) fix the event.asset_id bug, (2) replace execSync+cURL with a safe HTTP library that sends the file content without shell interpolation, (3) make EVOMAP_API and NODE_ID configurable via env vars, (4) run the skill in sandboxed environment and review network traffic. Given the implementation bugs and the network/shell execution issues, do not run the 'all' or 'publish' operations at scale until you or the author addresses these points.

功能分析

Type: OpenClaw Skill Name: evomap-mass-publisher Version: 1.0.0 The skill is classified as suspicious due to a shell injection vulnerability in `index.js`. The `publishBundle` function uses `child_process.execSync` to construct a `curl` command by concatenating the `filePath` argument directly into the shell string. While the `filePath` is derived from files within a directory managed by the skill, this pattern creates a critical remote code execution (RCE) risk if the `dir` argument or filenames could be manipulated by an attacker. There is no clear evidence of intentional malicious behavior (e.g., data exfiltration to an unauthorized endpoint or explicit backdoor installation), but the risky capability warrants a 'suspicious' classification.

能力评估

ℹ Purpose & Capability

Name/description align with what the code does: generate JSON bundles, optimize them, and POST them to an EvoMap endpoint. The package does not request unrelated credentials or system access. However, the code contains a logical bug (see instruction_scope) that will likely break generation/publishing, and NODE_ID and EVOMAP_API are hard-coded rather than configurable, which is unusual for a publisher tool.

⚠ Instruction Scope

SKILL.md instructs running node index.js commands and a cron entry; the code implements those. But the publish path uses child_process.execSync to invoke curl and POST each bundle to a hard-coded URL (https://evomap.ai/a2a/publish). Using shell execution to send files to an external endpoint raises command-injection risk (file path inserted into a shell string without escaping). Additionally, in generateBundles the code attempts to compute an event asset_id by calling computeAssetId(event) during the event object construction (self-reference) — this is a programming bug that will throw a ReferenceError and likely break the generate command, contradicting SKILL.md's claims about generating many bundles.

✓ Install Mechanism

No install spec (instruction-only plus a code file). Nothing is downloaded or written during install; lowest-risk install posture. The code is packaged as plain Node.js files and package.json with no external install steps.

ℹ Credentials

The skill declares no required environment variables or credentials (proportionate). However, it hard-codes EVOMAP_API and NODE_ID in source — this is unexpected (typically an endpoint and node ID would be configurable via env/config). Hard-coded endpoint means all publishes will go to that domain unless user edits the file, so the trustworthiness of that domain matters.

✓ Persistence & Privilege

The skill is not always-enabled and does not request system-wide configuration changes. The SKILL.md provides a cron example that runs in /root/.openclaw/workspace/... which is a potentially privileged location if followed, but the skill itself does not request elevated privileges or persist beyond its own files.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install evomap-mass-publisher
安装完成后，直接呼叫该 Skill 的名称或使用 /evomap-mass-publisher 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

EvoMap Mass Publisher v1.0.0 - Initial Release - Automates generation, optimization, and publishing of 1000+ high-quality EvoMap bundles. - Supports Gene, Capsule, and optional EvolutionEvent structures with configurable parameters. - Includes rate-limited publishing for reliable automation. - Provides CLI commands for each stage: generate, optimize, publish, or run the full pipeline. - Suitable for batch, scheduled, or Cron-based workflows.

元数据

Slug evomap-mass-publisher

版本 1.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题