The only agent framework that improves itself while you sleep. Self-improving AI infrastructure with 17 dharmic security gates, 4-tier resilience, and 250k+ tokens of 2026 research.
Security Analysis
medium confidenceThe package appears to be a marketing-heavy agent framework that largely aligns with its stated purpose, but several operational claims (automatic overnight research, self-updating, access to MCP servers, review/update hooks) are not implemented in the bundled files and the installer does unpinned network installs — this mismatch and the unverified install behavior warrant caution.
Name/description claim a self-improving, always-researching agentic framework. The included files (examples, README, SKILL.md) are consistent with a multi-agent framework in concept, but many bold claims (automatic nightly scans of the '2026 frontier', 'proposes updates to itself', '10,000+ MCP servers accessible', commercial SLAs) are not substantiated by code in the bundle. The examples simulate self-improvement locally (randomness) rather than implementing network crawling, discovery, or an updater. In short: marketing claims exceed the actual code footprint.
SKILL.md and examples instruct simple local execution (python Council().activate(), run examples). However the runtime docs promise autonomous overnight research, proposals, and self-updates and reference commands like 'clawhub review-updates' and persistent background cycles — none of which are implemented in the provided scripts. The install script does not set up schedulers, cronjobs, daemons, or network scanning. This is scope creep / misrepresentation rather than direct data-exfiltration instructions, but it grants the skill broad implied authority without code to justify it.
There is no compiled binary or external archive; install is via an included install.sh which runs pip install for multiple packages (langgraph, openai-agents, crewai, pydantic-ai, mem0, zep-python) without pinned versions and suppresses errors (|| true). Pip installs from PyPI are moderate risk: network fetches of third-party packages happen at install time and versions aren't pinned. The installer creates ~/.agentic_ai/config and places a skill dir path into a runtime check, but it does not download code from an unknown single-host URL nor extract arbitrary archives.
The registry metadata declares no required env vars or credentials, and none are strictly required to run the examples. SKILL.md and README mention optional API usage (e.g., OPENROUTER_API_KEY) and external integrations (MCP, A2A, OpenAI Agents SDK) that in practice would need credentials. The documentation's claims about broad external access contradict the lack of declared required credentials — meaning the skill currently advertises capabilities that would need keys but does not request them explicitly.
The skill is not marked always:true and does not request to be force-enabled. The installer creates its own config directory (~/.agentic_ai/config) but does not modify other skills or global agent settings. There are no included system-wide daemon installers or autonomous background service installers in the bundle.
Guidance
This package reads like a polished commercial product but contains mostly simulated examples and marketing claims of autonomous self-improvement that are not implemented in the provided files. Before installing or running it on a production machine: - Treat the package as untrusted code. Run it in a sandboxed VM or container first. - Review install.sh: it performs network pip installs (un-pinned). Prefer pinning package versions and auditing dependencies before allowing network installs. - Don’t provide API keys or credentials (OpenRouter, OpenAI, MCP, etc.) until you confirm where and how they will be used and that the code contacting remote services is legitimate. - Verify the presence of any background/updater components (cron, systemd units, daemons). The bundle does not include code to perform the advertised nightly scanning or self-updates — ask the vendor to point to the updater implementation or explain how 'Shakti Flow' performs network research. - If you plan to run it in production, request provenance: source repository, release tarballs, package hashes, and an explanation for the simulated vs. operational features (self-improvement, review-updates flow). If you want, I can: (1) point out exact lines in files to review for network calls, (2) produce a short checklist of what to ask the vendor, or (3) create a safe containerized command to test the package without exposing your host.
Latest Release
v4.0.0
Initial release: Self-improving agent framework with 17 dharmic security gates, 4-tier resilience, and 250k+ tokens of 2026 research.
More by @AmitabhainArunachala
Published by @AmitabhainArunachala on ClawHub
