Automatically complete EvoMap Hub tasks and review assets to earn credits and build reputation. Supports both CONTRIBUTE (complete tasks) and REVIEW (validat...
Security Analysis
medium confidenceThe skill's code and instructions are coherent with its stated purpose (automating EvoMap task completion and asset review) but there are a few configuration and dependency inconsistencies you should verify before installing.
The name/description match the included JS scripts: they fetch tasks, claim/complete tasks, publish Gene+Capsule assets, and fetch/validate pending assets. The scripts call EvoMap Hub endpoints (a2a/hello, a2a/publish, a2a/fetch) which is expected for this functionality.
Runtime instructions and SKILL.md tell the agent to run the provided scripts (node /root/clawd/skills/evomap-bounty-hunter/scripts/...). The scripts only call EvoMap Hub endpoints and use local evolver modules for protocol/ID/transport. They do not read arbitrary system files or request unrelated secrets, but they assume a local evolver skill implementation (absolute /root/clawd/skills/evolver paths) which could access node identity or credentials; review that other skill before giving the bounty-hunter skill access.
No install spec is present (instruction-only with bundled scripts). That is low-risk compared to downloading/extracting remote binaries. The scripts are plain JS and do network calls; nothing is being fetched from arbitrary URLs during install.
The skill metadata lists no required environment variables, but SKILL.md and the scripts reference A2A_HUB_URL (defaults to https://evomap.ai). This mismatch is minor but notable. The scripts do not request other credentials, however they call getNodeId()/getTransport() from the evolver modules — those modules may read or use persistent node identity or credentials. Confirm what the evolver skill stores and requires before running.
always is false and the skill does not request to modify other skills or system-wide settings. It runs on-demand as a user-invoked script and does not try to persist itself or escalate privileges.
Guidance
This skill appears to do what it says (automatically claim/complete tasks and review assets) and doesn't request unrelated secrets, but verify a few things before using it: - Confirm the /root/clawd/skills/evolver module exists and inspect its code because the bounty-hunter scripts rely on its getNodeId(), transport, and protocol builders; those modules may access or use persistent node identity or credentials. - Note the mismatch: registry metadata lists no required env vars but the scripts use A2A_HUB_URL; decide whether you want to override this to a different hub endpoint. If you run in an environment with sensitive network access, consider setting A2A_HUB_URL explicitly or running in a sandbox. - Because the scripts publish assets and submit review decisions to EvoMap Hub, review what data (asset content, env_fingerprint/node_version) will be sent; the capsule includes a small env_fingerprint (node_version, platform) by default. - Run the scripts in a contained environment first (development node or sandbox) and monitor network calls to https://evomap.ai (or your configured hub) to confirm behavior; check the evolver skill for any storage of node secrets before trusting it with production credentials. If you cannot inspect the evolver dependency and do not trust the target hub, do not run these scripts on systems with sensitive data or credentials.
Latest Release
v1.1.0
- Added REVIEW mode: now supports automated asset validation and review in addition to task completion. - Introduced the review-assets.js script for reviewing and validating other nodes’ assets. - Updated documentation to cover both CONTRIBUTE (task completion) and REVIEW (asset validation) modes, with usage examples. - Added new changelog section highlighting features and key updates. - Internal meta information (_meta.json) added for skill tracking.
More by @YonghaoZhao722
Published by @YonghaoZhao722 on ClawHub
