Back to skill
Skillv1.0.1
ClawScan security
Content Rewriter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 8, 2026, 5:37 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, runtime instructions, and requested environment variable all match its stated purpose: it sends user-supplied text to api.evolink.ai using an EVOLINK_API_KEY for rewriting/translation/score operations; nothing requested appears disproportionate or unrelated.
- Guidance
- This skill will send any file content you pass to the evolink.ai API (api.evolink.ai) using the EVOLINK_API_KEY you provide — do not use it with sensitive secrets or private documents unless you trust evolink.ai and have reviewed their privacy/retention policy. The installer copies files into your project's skills/ directory and updates a local .clawhub lockfile; you can remove the installed folder and lockfile to uninstall. Verify you obtained the package from a trusted source and keep EVOLINK_API_KEY out of shared shells or public CI logs. If you need higher assurance, review the full rewriter.sh and install.js in your environment before running, and validate the evolink.ai domain and support contact independently.
Review Dimensions
- Purpose & Capability
- okName/description ask for AI rewriting/translation/score features and the code requires python3, curl, and EVOLINK_API_KEY — all directly related to calling the evolink.ai API. No unrelated credentials or tools are requested.
- Instruction Scope
- okSKILL.md and the included rewriter.sh limit their actions to reading a user-specified input file, constructing an API payload, and posting to api.evolink.ai. They do not attempt to read other system files, environment secrets beyond EVOLINK_API_KEY/EVOLINK_MODEL, or transmit data to other endpoints.
- Install Mechanism
- okThere is no remote download during install; the npm installer script simply copies bundled skill files into a skills/ directory and updates a local .clawhub lockfile. This is a low-risk, local file copy installer. (Note: the registry metadata shows no external install spec but an npm installer is included as a file — that is consistent with distributing an npm helper.)
- Credentials
- okOnly EVOLINK_API_KEY is required (with optional EVOLINK_MODEL). Those map directly to the external AI API the skill uses. No additional secrets or unrelated environment variables are requested.
- Persistence & Privilege
- okalways is false and the skill does not request persistent elevated privileges. The installer writes skill files to skills/<slug> and updates a local .clawhub/lock.json and a .clawhub-origin.json in the skill folder — expected behavior for an installer. The runtime scripts create temporary files (mktemp) and clean them up via trap.