capability-evolver Security Audit Report
capability-evolver is an AI agent skill, created by OpenClaw and published at openclaw/skills. ClawSecure audited capability-evolver across 60 files through the 3-Layer Audit Protocol covering all ten OWASP ASI Top 10 categories, assigning a security score of 0/100 (High Risk). The 174 findings concentrate in Data Exfiltration, Command Injection and Malicious Code, including Pattern detected: require('child_process') and Pattern detected: require('child_process'). 162 were rated high or critical severity.
Is capability-evolver safe?
ClawSecure audited capability-evolver and assigned a security score of 0/100 (High Risk), identifying 174 findings across Data Exfiltration and Command Injection. Review the findings below before installing.
What did ClawSecure find in capability-evolver?
ClawSecure identified 174 findings in capability-evolver, concentrated in Data Exfiltration, Command Injection and Malicious Code. 162 were rated high or critical severity. The most severe include Pattern detected: require('child_process') and Pattern detected: require('child_process').
How was capability-evolver audited?
ClawSecure ran capability-evolver through its 3-Layer Audit Protocol with full OWASP ASI Top 10 coverage, scanning 60 files from openclaw/skills.
What does a score of 0 mean?
ClawSecure assigned capability-evolver a security score of 0/100, placing it in the High Risk range. This is driven by 174 findings led by Data Exfiltration that should be addressed before use. ClawSecure derives this score with a weighted deduction model (critical -20, high -10, medium -5, low -2 from a base of 100).
Audit Findings for capability-evolver
ClawSecure detected 174 security findings in capability-evolver, spanning Data Exfiltration, Command Injection, Malicious Code and Policy Violation.
- critical · Pattern detected: require('child_process'). Command Injection finding detected in
index.js:7. - critical · Pattern detected: require('child_process'). Command Injection finding detected in
scripts/build_public.js:3. - critical · Pattern detected: execSync(. Command Injection finding detected in
scripts/build_public.js:169. - critical · Pattern detected: require('child_process'). Command Injection finding detected in
scripts/generate_history.js:1. - critical · Pattern detected: execSync(. Command Injection finding detected in
scripts/generate_history.js:17. - critical · Pattern detected: require('child_process'). Command Injection finding detected in
scripts/publish_public.js:1. - critical · Pattern detected: execSync(. Command Injection finding detected in
scripts/publish_public.js:13. - critical · Pattern detected: spawnSync(. Command Injection finding detected in
scripts/publish_public.js:19. - critical · Pattern detected: spawnSync(. Command Injection finding detected in
scripts/publish_public.js:22. - critical · Pattern detected: spawnSync(. Command Injection finding detected in
scripts/publish_public.js:94. - critical · Pattern detected: spawnSync(. Command Injection finding detected in
scripts/publish_public.js:97. - critical · Pattern detected: spawnSync(. Command Injection finding detected in
scripts/publish_public.js:228.
Showing the 12 highest-severity of 174 findings. The full interactive list appears below.
3-Layer Audit Protocol
Security Recommendations for capability-evolver
Audit external network connections
Harden command execution
Resolve policy violations
Related Security Research
ClawHavoc Explained: The Malware Family Targeting AI Agents→Beyond Static Scans: Why ClawSecure Verifies Agentic Intent→Related AI Agent Security Audits
Scanned on March 2, 2026. capability-evolver is one of thousands of agents audited by ClawSecure from the community-curated awesome-openclaw-skills list and the openclaw/skills repository.