Gen Paylink Govilo
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears to do what it advertises: it packages user-selected files, uploads them to Govilo, and creates a paid unlock link, but it does require a Govilo API key and sends selected files to an external service.
This looks coherent and purpose-aligned. Before installing or running it, make sure you trust Govilo, use a dedicated .env.govilo file, verify the files or folder you are uploading, and double-check the price and seller wallet address because the command creates a real paid unlock link.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can act through the user's Govilo Bot API key to create upload sessions and paid unlock items.
The skill needs a Govilo API token and seller wallet address to create links on the user's Govilo account; this is disclosed and matches the purpose.
Requires GOVILO_API_KEY and SELLER_ADDRESS env vars.
Use a dedicated Govilo API key/env file as documented, keep the key private, and revoke it if you stop using the skill.
Any files or folder contents selected with --input will be sent to Govilo storage.
The implementation uploads the packaged ZIP to a presigned Govilo/R2 upload URL, so selected file contents leave the local machine.
requests.put(upload_url, headers={"Content-Type": "application/zip"}, data=f)Only choose files intended for sale or sharing, and review folder contents before uploading.
Running the command can create a real paid unlock link on the connected Govilo account.
The CLI chains API actions that upload content and create a paid Govilo item using user-supplied title and price.
client.presign(cfg.seller_address) client.upload(presign_data["upload_url"], zip_path) item_data = client.create_item(... title=args.title, price=args.price ...)
Confirm the input files, title, price, and seller address before running the command.
Installing uv this way runs code from the uv provider on the user's machine.
The setup guide suggests standard remote installer commands for uv, which are disclosed setup steps but still execute downloaded installer code.
curl -LsSf https://astral.sh/uv/install.sh | sh ... powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/install.ps1 | iex"
Install uv only from trusted official sources, or use a package manager such as Homebrew if preferred.