Auto Skill Evolver
This skill allows your AI agent to autonomously improve its own skills. It uses an iterative "training" process where the agent practices a task, evaluates the result, and rewrites the skill definition to perform better next time.
⚠️ Security Notice: This skill modifies code/config files on your local machine. It runs the local openclaw CLI and executes arbitrary commands defined by you. Use with caution and review changes before applying them.
Prerequisites
- 1. Python 3.8+ installed.
- OpenClaw CLI installed and configured (
openclaw command available in PATH, external dependency and not bundled by this skill package). - No external API key required (uses your local OpenClaw agent configuration).
- Strongly recommended to run with human review (
--interactive) unless you are in a trusted CI pipeline.
Usage
1. Self-Training Mode (The "Gym")
Use this mode when you want the agent to practice a specific task repeatedly to perfect a skill.
Command:
�CODEBLOCK0
Parameters:
- -
--skill-path: The path to the skill file you want to improve. - INLINECODE4�: The command to run the agent task.
- Recommended: pass a JSON array string (e.g.,
["bin","--arg","value"]) for exact argv control.
- Security hardening: shell operators like
&&,
|,
;, redirection are rejected to prevent injection.
- -
--iterations: How many times to practice (default: 10). - INLINECODE10�: Seconds to wait between iterations (e.g., 1800 for 30 mins).
- INLINECODE11�: The file where your agent writes its execution logs.
- INLINECODE12�: If enabled, each iteration requires
yes or hash approval before apply.
2. In-Process Evolution (Hook Mode)
Use this mode to improve skills during normal usage.
Option A: Command Line Hook
�CODEBLOCK1
Option B: Python Integration (Wrapper)
�CODEBLOCK2
3. Version Control & Rollback
Every time the skill is updated, a backup is saved in .skill_versions/ inside the skill's directory.
Restore a previous version:
CODEBLOCK3
How It Works
- 1. Execute: The agent runs the task using the current skill.
- Evaluate: The execution trace and user feedback are captured.
- Optimize: A local OpenClaw sub-agent is spawned to analyze the trace and optimize the skill file.
- Rewrite: The sub-agent writes updates using atomic replace to avoid partial writes/corruption.
- Report: A changelog is generated (Added/Removed/Impact).
- Proposal-First: Proposal artifacts are stored as
.proposed and .proposed.meta.json. - Approval: Full unified diff is printed in the same session; apply accepts
yes or exact proposal hash. - Deferred Apply: Existing proposal can be applied later with
--apply-proposal, no re-optimization needed. - Expiry Guard: Use
--approval-expire-seconds to reject stale proposals. - Session Integration: Use
--status and --output-mode json to expose proposal state and next actions to chat/mobile UI. - Single-Action Chat Mode:
--chat-action propose|status|approve reduces client decision complexity.
Security
This skill includes built-in defenses against Prompt Injection attacks from execution logs and local file tampering:
- 1. Prompt Isolation: The optimizer is explicitly instructed to treat logs as untrusted data and ignore any instructions found within them.
- Multi-layer Security Scans: Before apply, generated content goes through multiple scanners:
- Diff-aware high-risk behavior detection (new dangerous commands compared with original version)
- Absolute high-risk blocklist scan (e.g.,
curl,
rm -rf,
chmod 777, disk destructive patterns)
- Prompt-injection marker scan (e.g., instruction-override phrases, role-escalation terms)
- 3. Permission Validation: Target skill/trace/feedback paths are validated (regular file only, no symlink redirection, required read/write access).
- Atomic Writes: Skill proposals, applied updates, and update reports are written atomically (
tempfile + os.replace) to prevent partial writes and race-condition corruption. - Local Execution: All optimization happens locally via your configured OpenClaw agent, ensuring no data leaves your controlled environment.
- Secure Workspace: Optimization artifacts (traces, logs) are processed in a secured directory (
.secure_workspace) with restricted permissions (current user only) to prevent tampering during the update process. - Section Whitelist Rewrite: By default only selected H2 sections are replaceable (
Usage, How It Works, Security). Frontmatter and non-whitelisted sections remain unchanged. - Approval Gate: Every proposal has SHA256 fingerprint. Apply accepts
yes or exact hash entry, and full diff is always visible in-session. - Token File Approval:
--approval-token-file supports file-based approval for mobile/server control without exposing token in process args. - Proposal Expiry:
--approval-expire-seconds enforces max age to block stale proposal apply. - Structured Session Output:
--output-mode json emits machine-readable proposal/approval events for conversation-driven clients. - Risk Card Field: JSON events include
risk_level (low|medium|high) for red/yellow/green mobile cards. - Writable Scope Guard:
--allowed-skill-roots limits writable target ranges to approved root paths. - Self-Target Guard: self-modification is blocked by default; use
--allow-self-target only in controlled maintenance. - Strict Compatibility Guard: Legacy high-risk flags are rejected with migration guidance.
Mobile Chat Quickstart
Use the same script with one action:
CODEBLOCK4
Natural language mode (no need to remember action flags):
CODEBLOCK5
Conversation Triggers
The router can infer action + skill from natural phrases:
- - Chinese training intents:
训练 xxx 优化 xxx 让 xxx 技能迭代 �INLINECODE42 - Chinese status intents:
查看 xxx 训练状态 �INLINECODE44 - Chinese approve intents:
批准 xxx 应用 xxx 提案 �INLINECODE47 - English training intents:
train xxx optimize xxx �INLINECODE50 - English status intents:
status xxx �INLINECODE52 - English approve intents:
approve xxx �INLINECODE54
If user says 这个技能 / 当前技能 / this skill, it maps to auto-skill-evolver.
Strict Release Profile
This release is hardened for marketplace safety review:
- - No autonomous apply path.
- No whitelist-bypass flag.
- Proposal-first workflow is mandatory (
.proposed + .proposed.meta.json). - Apply requires explicit approval token (
yes or proposal hash), including token-file and deferred apply mode. - Write scope is constrained by allowed roots and self-target is disabled by default.
- Recommended to run in isolated development environments.
Legacy high-risk flags are intentionally rejected:
- - �INLINECODE62
- INLINECODE63
Security Tests
Run local checks before publishing:
CODEBLOCK6
Expected outcome:
- - Commands exit with code 0.
- Legacy high-risk flags are rejected.
- Whitelist/frontmatter protection works.
- Hash checks remain stable.
Directory Structure
CODEBLOCK7
Auto Skill Evolver
此技能允许您的AI代理自主改进自身技能。它使用迭代的训练过程,让代理练习任务、评估结果,并重写技能定义以在下一次表现更好。
⚠️ 安全提示:此技能会修改本地机器上的代码/配置文件。它会运行本地的 openclaw CLI 并执行您定义的任意命令。请谨慎使用,并在应用前审查更改。
前置条件
- 1. 已安装 Python 3.8+。
- 已安装并配置 OpenClaw CLI(openclaw 命令在 PATH 中可用,此为外部依赖,不包含在此技能包中)。
- 无需外部 API 密钥(使用您的本地 OpenClaw 代理配置)。
- 强烈建议在人工审查(--interactive)模式下运行,除非您处于受信任的 CI 流水线中。
使用方法
1. 自训练模式(训练场)
当您希望代理重复练习特定任务以完善技能时,使用此模式。
命令:
bash
python skills/auto-skill-evolver/scripts/train_loop.py \
--skill-path skills/target-skill/SKILL.md \
--command [\your-agent-command\, \--task\, \do the thing\] \
--iterations 10 \
--interval 300 \
--trace-file logs/execution.log \
--interactive-each-iteration
参数:
- - --skill-path:您要改进的技能文件路径。
- --command:运行代理任务的命令。
- 推荐:传递 JSON 数组字符串(例如 [bin,--arg,value])以实现精确的 argv 控制。
- 安全加固:拒绝使用 &&、|、;、重定向等 shell 操作符以防止注入。
- - --iterations:练习次数(默认:10)。
- --interval:迭代之间的等待秒数(例如 1800 表示 30 分钟)。
- --trace-file:代理写入执行日志的文件。
- --interactive-each-iteration:如果启用,每次迭代在应用前需要输入 yes 或哈希值进行批准。
2. 进程内进化(钩子模式)
在正常使用过程中改进技能时使用此模式。
选项 A:命令行钩子
bash
步骤 1:生成提案并在当前会话中显示完整差异
python skills/auto-skill-evolver/scripts/optimize_skill.py \
--skill-path skills/target-skill/SKILL.md \
--task-desc 用户的请求 \
--trace-file logs/session.log \
--feedback-file logs/user_feedback.txt \
--allowed-sections Usage,How It Works,Security \
--interactive
步骤 2:稍后应用现有提案(适合移动端/远程操作)
python skills/auto-skill-evolver/scripts/optimize_skill.py \
--skill-path skills/target-skill/SKILL.md \
--apply-proposal \
--approval-token yes
步骤 2(令牌文件模式):避免在命令参数中暴露令牌
python skills/auto-skill-evolver/scripts/optimize_skill.py \
--skill-path skills/target-skill/SKILL.md \
--apply-proposal \
--approval-token-file runtime/approval_token.txt \
--approval-expire-seconds 1800
步骤 3(会话优先):查询当前提案状态(适用于移动聊天界面)
python skills/auto-skill-evolver/scripts/optimize_skill.py \
--skill-path skills/target-skill/SKILL.md \
--status \
--output-mode json
步骤 4(单动作移动端流程):仅使用一个动作参数
python skills/auto-skill-evolver/scripts/optimize_skill.py \
--skill-path skills/target-skill/SKILL.md \
--chat-action approve
选项 B:Python 集成(包装器)
python
from skills.autoskillevolver.scripts.hookwrapper import triggerevolution
任务完成后
report = trigger_evolution(
skill_path=skills/target-skill/SKILL.md,
task_desc=分析财务数据,
trace
file=logs/trace123.log,
feedback
file=logs/feedback123.txt,
interactive=True # 应用前询问 yes/哈希批准
)
print(report)
3. 版本控制与回滚
每次技能更新时,都会在技能目录内的 .skill_versions/ 中保存备份。
恢复之前的版本:
python
from skills.autoskillevolver.scripts.versioncontrol import restoreversion, list_versions
列出可用版本
versions = list_versions(skills/target-skill/SKILL.md)
for v in versions:
print(v[filename], v[meta])
恢复
restore_version(skills/target-skill/SKILL.md, versions[1][path])
工作原理
- 1. 执行:代理使用当前技能运行任务。
- 评估:捕获执行轨迹和用户反馈。
- 优化:生成一个本地 OpenClaw 子代理来分析轨迹并优化技能文件。
- 重写:子代理使用原子替换写入更新,以避免部分写入/损坏。
- 报告:生成变更日志(添加/删除/影响)。
- 提案优先:提案工件存储为 .proposed 和 .proposed.meta.json。
- 批准:在同一会话中打印完整统一差异;接受 yes 或精确提案哈希。
- 延迟应用:现有提案可在稍后使用 --apply-proposal 应用,无需重新优化。
- 过期保护:使用 --approval-expire-seconds 拒绝过时提案。
- 会话集成:使用 --status 和 --output-mode json 向聊天/移动端界面公开提案状态和后续操作。
- 单动作聊天模式:--chat-action propose|status|approve 减少客户端决策复杂性。
安全性
此技能包含针对执行日志和本地文件篡改的提示注入攻击的内置防御:
- 1. 提示隔离:明确指示优化器将日志视为不可信数据,并忽略其中发现的任何指令。
- 多层安全扫描:应用前,生成的内容会经过多个扫描器:
- 差异感知的高风险行为检测(与原始版本相比的新危险命令)
- 绝对高风险黑名单扫描(例如 curl、rm -rf、chmod 777、磁盘破坏模式)
- 提示注入标记扫描(例如指令覆盖短语、角色升级术语)
- 3. 权限验证:验证目标技能/轨迹/反馈路径(仅限常规文件,无符号链接重定向,需要读写权限)。
- 原子写入:技能提案、应用的更新和更新报告以原子方式写入(tempfile + os.replace),以防止部分写入和竞态条件损坏。
- 本地执行:所有优化通过您配置的 OpenClaw 代理在本地进行,确保数据不会离开您的受控环境。
- 安全工作区:优化工件(轨迹、日志)在安全目录(.secureworkspace)中处理,具有受限权限(仅限当前用户),以防止更新过程中的篡改。
- 章节白名单重写:默认情况下,仅可替换选定的 H2 章节(Usage、How It Works、Security)。前置元数据和未列入白名单的章节保持不变。
- 批准门控:每个提案都有 SHA256 指纹。接受 yes 或精确哈希条目,并且完整差异始终在会话中可见。
- 令牌文件批准:--approval-token-file 支持基于文件的批准,用于移动端/服务器控制,而无需在进程参数中暴露令牌。
- 提案过期:--approval-expire-seconds 强制执行最大期限以阻止应用过时提案。
- 结构化会话输出:--output-mode json 为对话驱动的客户端输出机器可读的提案/批准事件。
- 风险卡片字段:JSON 事件包含 risklevel(low|medium|high),用于移动端红/黄/绿卡片。
- 可写范围保护:--allowed-skill-roots 将可写目标范围限制为已批准的根路径。
- 自目标保护:默认阻止自修改;仅在受控维护中使用 --allow-self-target。
- 严格兼容性保护:拒绝旧版高风险标志并提供迁移指南。
移动端聊天快速入门
使用带有单一动作的相同脚本:
bash
开始训练提案
python skills/auto-skill-evolver/scripts/optimize_skill.py --
