Back to skill
Skillv2.0.0
ClawScan security
Evolink Music — AI Music Generation (Suno v4/v4.5/v5) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 26, 2026, 6:17 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is instruction-only and its requests (a single EVOLINK_API_KEY and calls to evolink.ai APIs) match the stated purpose of AI music generation; no disproportionate permissions or hidden installs were found.
- Guidance
- This skill appears internally consistent: it only needs an EVOLINK_API_KEY and talks to evolink.ai endpoints to generate and host audio. Before installing, verify you trust evolink.ai and the API key you provide (it can create/list/delete files and incur billing). Be cautious if you follow the optional setup commands that run npx/@evolinkai/evolink-media — running npx executes remote npm code, so inspect that package first. Avoid uploading sensitive audio (file URLs are public and expire in 24–72h), monitor account billing/quotas, and rotate the API key if you stop using the skill or suspect compromise.
Review Dimensions
- Purpose & Capability
- okName/description (AI music generation with Suno models) aligns with what the skill asks for: a single EVOLINK_API_KEY and calls to evolink.ai generation and files endpoints. Required env/config is minimal and directly related to the service.
- Instruction Scope
- noteSKILL.md confines runtime behavior to making API calls to evolink.ai and its file-hosting API, polling tasks, and managing uploaded audio. It also suggests maintaining session history and using MCP tools; it does not instruct reading unrelated system files or extraneous credentials. Note: the README includes optional commands to install/run an MCP server (npx usage) — that would execute remote npm code if the user follows it, so vet before running.
- Install Mechanism
- okNo install spec or code files are included (instruction-only), so nothing will be written to disk by the skill itself. However, the docs recommend optional npx commands to run an external MCP package (@evolinkai/evolink-media); that is not required for the skill to function but is an external install the user should review before running.
- Credentials
- okOnly EVOLINK_API_KEY is required and is the declared primary credential. That single API key is appropriate for a hosted generation + file-hosting service. No unrelated secrets or config paths are requested.
- Persistence & Privilege
- okalways:false (not force-included) and no special persistence or system-wide config modifications are requested. The skill can be invoked autonomously by agents by default (platform default) but that is not combined with broad or unrelated privileges here.