Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Code Assistant
v1.0.6Generate, review, debug, and refactor production-ready Python, JavaScript/TypeScript, Go, Rust, Java, and C/C++ code with verified syntax and tests.
⭐ 0· 73·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's functionality (generate/verify/run code) matches its name and description. However the registry metadata presented to the platform declares no required environment variables or binaries while the shipped README/_meta.json/docs explicitly require EVOLINK_API_KEY, EVOLINK_MODEL and list 'node' as a binary. That mismatch is concerning because the skill will rely on external API credentials and a CLI that are not declared in the platform metadata.
Instruction Scope
SKILL.md explicitly instructs the agent to read user-specified workspace files and transmit workspace code to api.evolink.ai after asking consent, and to run local verification (syntax checks/tests). Asking for consent is good practice, but the skill's core behavior includes sending repository files externally and executing user code — both sensitive operations. There are also internal contradictions: 'Minimal File Access' vs README statements like 'Reads your project structure' which imply broader workspace scanning unless strictly constrained by user input.
Install Mechanism
This is instruction-only (no install spec), which reduces automatic install risk. But the package.json/package-lock in the file manifest advertise a CLI ('evocode') and Node dependency while no install instructions are provided to the platform. That mismatch may confuse users and suggests the skill expects external tooling that the platform will not automatically supply.
Credentials
The skill will require an EVOLINK_API_KEY and (optionally) EVOLINK_MODEL to operate against an external API, and it declares network and shell access in its _meta.json. Those credentials are proportionate to a cloud-based code-generation service, but the platform registry fields shown to the installer list no required env vars — an important omission that hides the need to provide a secret API key and increases the chance a user will inadvertently transmit private code without realizing it.
Persistence & Privilege
always is false (no forced persistence), and the skill does not request platform-wide configuration changes. It does require the ability to execute shell commands and run tests (i.e., execute user code), which is expected for a code-verification skill but increases risk if used on untrusted repositories. The SKILL.md requires user consent before transmission which mitigates some risk, but autonomous agent invocation combined with network access and an external API key would increase blast radius if the agent disregards consent prompts.
What to consider before installing
This skill will read user-specified workspace files, run syntax checks/tests locally (i.e., execute your code), and—if you consent—transmit workspace files to api.evolink.ai using an EVOLINK_API_KEY. The platform metadata shown to you omitted those required env vars and the CLI/binary dependency, which is inconsistent with the README/_meta.json. Before installing or running it:
- Treat it as a cloud-backed service that will send code externally. Do NOT use it on repositories containing secrets, proprietary code, or confidential data.
- Verify the vendor (Evolink.ai) and their published repository and privacy/security documentation (links are present in README). Confirm the actual endpoint(s) and what data is transmitted.
- Prefer testing in a sandbox or a non-sensitive sample repo first.
- Ask the skill author to fix the metadata inconsistency so required env vars (EVOLINK_API_KEY, EVOLINK_MODEL) and required binaries (node, any test tools) are declared on the platform.
- If you cannot confirm the implementation/source code of the CLI/service, avoid granting an API key or running it against sensitive codebases.Like a lobster shell, security has layers — review code before you run it.
latestvk971bka4s0t8vrqxyv530y24r983ett8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.