Back to skill
Skillv1.0.0
ClawScan security
Best Image · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 21, 2026, 12:30 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required credential (EVOLINK_API_KEY) line up with its stated purpose of calling the EvoLink image-generation API; nothing suggests it is trying to do unrelated or hidden actions.
- Guidance
- This skill appears to do only what it says: call evolink.ai to generate/edit images and save the results locally. Before installing: (1) Only provide a valid EVOLINK_API_KEY if you trust evolink.ai and understand any usage charges (4K costs extra). (2) Treat the API key like any secret — rotate or revoke it if compromised and avoid sharing it broadly. (3) Be cautious about supplying private image URLs; the skill sends any provided image URLs to the EvoLink API and will download the returned image to disk. (4) If you need tighter control, run the bundled script locally yourself (inspect it first) rather than granting broad autonomous agent access. If you want deeper assurance, verify the provider domain and review EvoLink's privacy/terms before use.
Review Dimensions
- Purpose & Capability
- okName, description, and required env var (EVOLINK_API_KEY) directly match use of the EvoLink image API; no unrelated credentials, binaries, or config paths are requested.
- Instruction Scope
- okSKILL.md and the included Python/PowerShell/curl references limit actions to submitting generation tasks, polling task status, and downloading the returned image. The agent is not instructed to read arbitrary local files or other environment variables. Note: the skill will download image URLs returned by the API to local disk (expected for this purpose).
- Install Mechanism
- okNo install spec; the skill is instruction-plus-script only and relies on standard system tools (Python, curl, or PowerShell). No external downloads or archives are written during installation.
- Credentials
- okOnly EVOLINK_API_KEY is required and declared as the primary credential; this is appropriate for a third-party API client and no additional secrets or unrelated env vars are requested.
- Persistence & Privilege
- okThe skill is not forced always-on, does not modify other skills or system-wide settings, and does not request elevated or persistent privileges beyond normal API access.