Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Code Assistant
v1.0.0Generate, review, debug, and refactor production-ready code in Python, JavaScript/TypeScript, Go, Rust, Java, and C/C++ with syntax checks and targeted edits.
⭐ 0· 81·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The declared purpose (generate/review/debug/refactor code) aligns with instructions that read project files, run syntax checks/tests, and call an external service. However the registry metadata at the top of the submission lists no required env vars or binaries, while the bundled README/_meta.json advertise EVOLINK_API_KEY, EVOLINK_MODEL, and a node/evocode CLI — this mismatch is an inconsistency that should be resolved before trusting the skill.
Instruction Scope
SKILL.md explicitly instructs the agent to read workspace files (only with user consent) and to transmit them to api.evolink.ai for processing; it also instructs running syntax checks/tests which will execute user code. Asking for consent is good, but the workflow still enables exfiltration of repository contents and execution of potentially untrusted code. The instructions otherwise avoid scanning unrelated system paths, but transmitting whole workspace contents and executing tests is a meaningful data-exfiltration and code-execution risk.
Install Mechanism
There is no install spec (instruction-only), which is low risk. However package.json and package-lock.json are present and reference a CLI 'evocode' and dependency on node/commander, yet no bin/evocode file is included in the manifest. This is an inconsistency: examples assume a local CLI that the skill does not declare or install. No external downloads or archive extracts are present.
Credentials
The files (README and _meta.json) require EVOLINK_API_KEY and EVOLINK_MODEL and indicate network and shell access; requesting an API key for an external service is proportionate to offloading processing, but the registry's declared requirements (none) differ from the bundle. The need for an API key and network access is significant because it enables remote processing of your workspace; the skill should declare these requirements clearly in its published metadata.
Persistence & Privilege
The skill does not request always:true and does not request to modify other skills or system-wide settings. Meta advertises workspace file access, network access, and shell access — these are expected for a code-assistant but increase risk only when combined with autonomous invocation. Autonomous invocation is allowed by default (not flagged), but nothing in the bundle requests permanent system-level presence.
What to consider before installing
This skill can read your repository, send it to an external service (api.evolink.ai), and run syntax checks/tests (which will execute code). Before installing:
- Verify the skill's provenance (who published the skill and the homepage/repository URL). The registry metadata in the submission omits required env vars/binaries but the bundled files reference EVOLINK_API_KEY, EVOLINK_MODEL, and node — ask the publisher to explain and fix that mismatch.
- Do not use this skill on repositories containing secrets, credentials, or sensitive/confidential code unless you explicitly accept that entire workspace files may be transmitted to the external service. Remove or rotate secrets first.
- If you must test it, run it in an isolated sandbox (throwaway VM or container) with no secrets and minimal network privileges.
- Confirm whether the 'evocode' CLI actually exists in the published package or whether examples are aspirational; missing CLI artifacts are a red flag.
- Consider alternatives that perform entirely local processing if you require stronger privacy guarantees.
If the publisher can (a) update the registry metadata to declare required env vars and binaries, (b) document exactly what is transmitted and when, and (c) provide the expected CLI/source so there are no missing artifacts, the inconsistencies would be largely resolved and the skill would be easier to evaluate securely.Like a lobster shell, security has layers — review code before you run it.
latestvk971tp05jh5tcfd3ja2dcbkyrh83fanr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.