Linkfuse
PassAudited by ClawScan on May 1, 2026.
Overview
Linkfuse appears to do what it says: it uses a Linkfuse API token to send a user-provided URL to Linkfuse and return a short affiliate link.
This skill is reasonable to use if you are comfortable giving it access to a Linkfuse API token and sending the URLs you shorten to Linkfuse. Avoid shortening private URLs that contain secrets or session tokens, and keep LINKFUSE_TOKEN protected.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A URL you provide will be sent to Linkfuse and may create or reuse a short affiliate link in the associated Linkfuse account.
The helper makes a disclosed POST request to create or recycle a Linkfuse link for the supplied URL. This is expected for the skill, but it is still an external account action.
response = await fetch(config.endpoints.createLink, { method: 'POST', ... body: JSON.stringify({ url, allowRecycle: true })Use the skill only for URLs you intend to send to Linkfuse, and review the returned short link before sharing it.
Anyone running the skill in an environment with this token can create Linkfuse links as that account.
The skill uses a bearer token from the environment as delegated Linkfuse account authority. The artifacts disclose this and do not show token logging, storage, or unrelated transmission.
const token = process.env.LINKFUSE_TOKEN; ... 'Authorization': `Bearer ${token}`Use a revocable or scoped Linkfuse token if available, keep it out of chat and logs, and revoke it if you stop using the skill.