microsoft/SkillOpt/openclaw
0
dangerous
analyzed 2h ago
WHY THIS SCORE
- medium secret_access: references credentials / private keys / secrets (legitimate for some tools; see behavior)
- medium secret_access: references credentials / private keys / secrets (legitimate for some tools; see behavior)
- high env_exfil: reads environment and sends it over the network (exfiltration)
- medium raw_ip_net: connects to a raw IP address
- high destructive: destructive filesystem / fork-bomb
- medium secret_access: references credentials / private keys / secrets (legitimate for some tools; see behavior)
- medium secret_access: references credentials / private keys / secrets (legitimate for some tools; see behavior)
- LLM judged overall risk 5/100
Claims
A nightly self-improvement loop that reads session transcripts, mines patterns, replays them with proposed skill edits, and gates proposals against a held-out test set. It outputs staged proposals for human adoption without mutating live state until adopted.
Actual behavior
The skill executes a Python-based cycle (`run_sleep.py`) that calls external LLM APIs (DeepSeek via HTTP, Ollama locally) to score and refine skills. It reads configuration and task sets from local files. It stages results in `~/.skillopt-sleep/staging/`. The `slash_sleep.py` script provides a CLI for status, running cycles, and adopting/rejecting proposals. The `run_sleep_cron.sh` script allows for automated nightly execution via cron.
Findings
medium secret_access — references credentials / private keys / secrets (legitimate for some tools; see behavior)
# try loading from .env
env_path =
medium secret_access — references credentials / private keys / secrets (legitimate for some tools; see behavior)
nduser("~/.openclaw/.env")
if os.pat
high env_exfil — reads environment and sends it over the network (exfiltration)
break
base = os.environ.get("DEEPSEEK_BASE_URL", "https://api.deepseek.com
medium raw_ip_net — connects to a raw IP address
quest(
"http://127.0.0.1:11434/api/embedding
high destructive — destructive filesystem / fork-bomb
r(staging):
shutil.rmtree(staging)
pri
medium secret_access — references credentials / private keys / secrets (legitimate for some tools; see behavior)
=" "$HOME/.openclaw/.env" 2>/dev/null; then
medium secret_access — references credentials / private keys / secrets (legitimate for some tools; see behavior)
ound in ~/.openclaw/.env" | tee -a "$LOG_FIL
Attestation
signer 0xB62e1c338a83D3a6621f9127eEa5B000caCfCd01
digest 0x5830763033f06841a5c87011f359ab2f48b54dc4550663bff69c54cf6ddd58da
verify: GET /skill/verify?digest=…&signature=… · scheme eip191-sha256
← Back to the index