📦 Funky Fund Flamingo — 技能工具
v1.0.1Repair-first self-evolution for OpenClaw — audit logs, memory, and skills; run measurable mutation cycles. Get paid. Evolve. Repeat. Dolla dolla bill y'all.
0· 696·2 当前·2 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's files and instructions mostly match a self‑evolution use case, but several internal policies (forced-per-cycle mutation, treating generated prompts as authoritative) and aggressive defaults raise operational and governance risks that you should review before installing.
评估建议
What to check and how to reduce risk before installing:
- Run in dry-run first: execute node index.js run --dry-run and inspect the generated prompt/artifacts in memory/ before letting any model consume them. Confirm the prompts do not expose secrets you don't want sent to a cloud LLM.
- Use review mode by default: run with --review so the skill pauses before any significant edits; read the produced 'what_changed' and 'why_it_matters' sections carefully.
- Backup your workspace: commit or copy ...详细分析 ▾
ℹ 用途与能力
The name/description (repair-first, mutation cycles, revenue focus) aligns with the code and SKILL.md: the skill reads session logs, workspace memory, and the skills directory and produces evolution proposals and persistent state. That behavior is coherent with an evolution/meta-skill. However, embedded policy artifacts (master directive: must_evolve_each_cycle, no_op_forbidden) assert a stronger mandate than a typical 'run when asked' helper and are notable because they pressure continual mutation rather than optional inspections.
⚠ 指令范围
SKILL.md and the code instruct the agent to read local session transcripts (~/.openclaw/agents/<agent>/sessions/*.jsonl), MEMORY.md, USER.md, and the skills/ directory — all expected for an evolution tool — and to write persistent memory artifacts in memory/. Important risks: (1) extract_log explicitly 'treats the prompt as truth' and reconstructs an evolution history from generated prompts, which can let LLM-generated content be treated as authoritative input (self-reinforcing/poisoning). (2) master-directive and enforcement docs suggest forced evolution semantics (must_evolve_each_cycle/no_op_forbidden) which broaden the scope of changes the tool will consider acceptable. The SKILL.md warns that prompts produced by this skill may be sent to cloud LLM providers if the enclosing agent uses them, but that means sensitive local context could leave the host unless the user runs in dry-run/local-only modes.
✓ 安装机制
No install spec / external downloads. This is an instruction+code bundle that runs with node and uses only fs/path/os; I found no download/extract or foreign package install in the provided files. That reduces supply-chain risk compared to remote archive installs.
ℹ 凭证需求
The skill requests no required credentials and only exposes reasonable optional env overrides (AGENT_NAME, MEMORY_DIR, size/time limits). It reads local agent session logs and memory files (sensitive data), which is coherent for its stated purpose. It also ships agent templates (openai/openrouter) that encourage cloud model use — SKILL.md notes this and warns about data leaving via the cloud model, but that remains a privacy decision for the user.
⚠ 持久化与权限
The skill is not always:true and does not request system-level permissions, but the included master-directive (must_evolve_each_cycle: true, no_op_forbidden: true, goal: 'Code Singularity') and execution-loop requirements indicate strong bias toward automatic/perpetual mutation. If an agent runs this skill autonomously (normal platform default) and review flags are not enforced, the combination of forced-mutation policy + relay/loop modes increases the risk of repeated, possibly unnecessary or surprising local file changes. The code does include review/dry-run flags and local-only safeguards (no remote git push by default), but the policy artifacts are more aggressive than most users likely expect.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/2/19
- Clarified security and privacy sections to emphasize that the skill's Node.js code is fully local; outbound data depends on agent/model stack used. - Added details about optional environment variables for easier customization and clearer configuration. - Explained implications of included agent config templates (OpenAI, OpenRouter): prompts may leave the machine if run via certain agents. - Enhanced documentation of master directive behavior, especially mutation forcing and safe usage flags. - Removed redundant documentation files (CHANGELOG.md, CLAWHUB_UPLOAD.md).
● 可疑
安装命令
点击复制官方npx clawhub@latest install funky-fund-flamingo
镜像加速npx clawhub@latest install funky-fund-flamingo --registry https://cn.longxiaskill.com