ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Evolink Nano Banana 2 1

v1.0.0

Nano Banana 2 — AI image generation powered by Google Gemini 3.1 Flash. Fast, versatile text-to-image and image editing via Evolink API. One API key.

0· 340·0 current·0 all-time
by@bethune89
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Evolink image generation via Gemini model) align with required env var (EVOLINK_API_KEY), endpoints, and the SKILL.md. The functionality described (text-to-image, editing, file upload) matches the declared requirements.
Instruction Scope
SKILL.md stays within image-generation scope (API calls, file uploads, polling tasks, asking user for prompts/params). As a note, it recommends optional setup commands that run third-party code (npx @evolinkai/evolink-media) to add an MCP server — this is outside the skill's own runtime but is an installation-time convenience that executes external code and should be reviewed before running.
Install Mechanism
No install spec and no code files — instruction-only skill. Lower disk/write risk. The only install-related action is an optional recommendation to run npx for an MCP server; that is not required by the skill but may cause remote code execution if performed by the user.
Credentials
Requires a single API key (EVOLINK_API_KEY) which is appropriate and declared as the primary credential. No other secrets, config paths, or unrelated credentials are requested.
Persistence & Privilege
always:false and user-invocable; the skill does not request permanent/global presence or modify other skills. Normal autonomous invocation is allowed by platform defaults but not a separate concern here.
Assessment
This skill appears to be what it says: an Evolink image-generation helper that needs one API key. Before installing or using it: (1) keep your EVOLINK_API_KEY private and consider a key with limited billing/permissions; (2) avoid uploading sensitive images — uploaded files become public URLs for a short window (72h/24h for results); (3) review any suggested npm packages (e.g., npx @evolinkai/evolink-media) before running them — npx fetches and executes remote code; (4) confirm you trust evolink.ai and any referenced third‑party MCP packages (check their npm/GitHub repos and maintainers); (5) verify expected billing/quotas on the Evolink dashboard to avoid unexpected charges. Overall the skill is coherent, but exercise standard caution with API keys and executing optional third-party installers.

Like a lobster shell, security has layers — review code before you run it.

latestvk9769kv1c7r80f6rz96jzef5p18235jn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🍌 Clawdis
OSmacOS · Linux · Windows
EnvEVOLINK_API_KEY
Primary envEVOLINK_API_KEY

Comments