Evolink Nano Banana 2 1
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent image-generation skill, but users should notice that it uses an Evolink API key, may upload prompts/images to Evolink, and recommends an unpinned npm MCP setup command.
This skill appears purpose-aligned for Evolink image generation. Before installing, confirm the publisher/package identity, use a dedicated Evolink API key, consider pinning the MCP npm package instead of using @latest, and avoid uploading sensitive images or prompts unless you are comfortable sending them to Evolink.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone installing this skill must provide or expose an Evolink API key, which can be used to consume credits or access Evolink-hosted files within that account's permissions.
The skill needs a service API key to authenticate requests to Evolink. This is expected for the integration, but it gives the skill delegated access to the user's Evolink account.
`EVOLINK_API_KEY` authenticates all requests. Injected by OpenClaw automatically. Treat as confidential.
Use a dedicated Evolink API key, monitor usage and billing, and revoke the key if you stop using the skill.
Private prompts or sensitive images submitted for editing/generation will be sent to a third-party service and may be accessible through temporary hosted links.
The skill clearly discloses that user prompts and image inputs are transmitted to Evolink and that generated or uploaded content is available through temporary URLs.
Prompts and images are sent to `api.evolink.ai`. Uploaded files expire in **72h**, result URLs in **24h**.
Do not submit confidential, regulated, or highly personal images unless Evolink's privacy, retention, and access controls meet your needs.
If the npm package changes or is compromised later, a user following the setup command could run different code than what was reviewed here.
The setup documentation recommends running an external npm MCP package with the moving `@latest` tag. This is purpose-aligned setup guidance, not automatic execution, but the exact code version is not pinned in the artifact.
`mcporter call --stdio "npx -y @evolinkai/evolink-media@latest" list_models`
Verify the npm/GitHub package publisher and consider pinning a specific trusted version instead of using `@latest`.
The skill identity metadata is not perfectly consistent, so users may want to confirm they are installing the intended Evolink skill.
The packaged metadata differs from the registry-provided owner and slug shown in the evaluation context. This is a provenance inconsistency, though it does not by itself show unsafe behavior.
"ownerId": "kn74p4xy6sja0199cea53anecs81kqjs", "slug": "evolink-nano-banana-2"
Verify the publisher, homepage, and package identity before providing an API key.