Back to skill
Skillv1.3.0
ClawScan security
Evolink Media — AI Video, Image & Music Generation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 26, 2026, 5:38 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it only needs an Evolink API key and the runtime instructions match the stated image/video/music generation purpose.
- Guidance
- This skill appears coherent and only needs an Evolink API key. Before installing: 1) Verify you trust evolink.ai and the @evolinkai npm package/GitHub repo referenced in the SKILL.md (review the package code if you can) because the MCP bridge guidance uses npx which runs remote code when executed. 2) Keep your EVOLINK_API_KEY secret and avoid placing it in public configs; follow Evolink's dashboard for key rotation if needed. 3) Be aware uploaded files may be sent to Evolink (files expire after 72 hours per the docs) — avoid uploading sensitive private data. 4) Confirm billing/quotas on evolink.ai so you don't receive unexpected charges. If you want stronger assurance, ask the publisher for the package source (the GitHub repo) and audit it before running the npx command.
Review Dimensions
- Purpose & Capability
- okThe skill name/description, declared primary credential (EVOLINK_API_KEY), and the SKILL.md all describe using Evolink generation endpoints or an MCP bridge. No unrelated credentials, binaries, or config paths are requested.
- Instruction Scope
- okRuntime instructions stick to the generation workflow (use MCP tools, upload files, submit generation tasks, poll check_task). They do not instruct reading unrelated system files or additional environment variables. Use of base64 upload and file_url is explained and is appropriate for file uploads.
- Install Mechanism
- noteThe skill is instruction-only (no install spec). It recommends bridging an MCP server by running an npm package via npx (@evolinkai/evolink-media) which will execute remote code from the npm registry/GitHub when run by the user. That pattern is expected for MCP integrations but carries the usual moderate risk of executing third-party code — the skill itself does not automatically install anything.
- Credentials
- okOnly EVOLINK_API_KEY is required and declared as the primary credential. That is proportionate to an API-based generation service. The SKILL.md does not access or request additional secrets or unrelated environment variables.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. It does not request permanent presence or attempt to modify other skills or system-wide configs. Autonomous invocation (model invocation enabled) is the platform default and is not, by itself, a red flag here.