Back to skill
Skillv1.0.0
ClawScan security
Cheapest Image · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 21, 2026, 12:28 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required environment variable (EVOLINK_API_KEY) match its stated purpose (calling the EvoLink image-generation API and saving the resulting image locally).
- Guidance
- This skill behaves like a normal API client: it needs your Evolink API key and will send any prompt text you provide to api.evolink.ai, then download and save the generated image locally and print MEDIA:<path> for attachment. Before installing, confirm you trust Evolink (https://evolink.ai), understand that prompts and any included sensitive content will be transmitted to that third party, and are comfortable storing the downloaded image on your machine. Be aware of cost implications of API usage, and avoid putting secrets or private data in prompts. If you need tighter control, consider creating a limited-scope API key with EvoLink (if the service supports it) or testing with throwaway keys first.
Review Dimensions
- Purpose & Capability
- okName/description (Cheapest Image via EvoLink) aligns with the code and docs: it submits a generation request to api.evolink.ai, polls a task endpoint, downloads the image, and prints MEDIA:<path>. No unrelated services, binaries, or credentials are requested.
- Instruction Scope
- okSKILL.md and reference scripts only instruct making API calls to Evolink, polling task status, downloading the result, and saving locally. They require an API key and do not read other files, secrets, or system configuration beyond EVOLINK_API_KEY and normal filesystem access to write the image.
- Install Mechanism
- okInstruction-only skill with included small Python/PowerShell/curl helpers; no installer, no archive downloads, and no third-party packages are pulled at install time.
- Credentials
- okOnly EVOLINK_API_KEY is required (declared as primaryEnv) which is proportional to a third-party API client. The scripts do not access other environment variables or unrelated credentials.
- Persistence & Privilege
- okSkill does not request always:true, does not modify other skills or system-wide settings, and only writes image files it downloads to the local filesystem as expected for its purpose. Autonomous invocation is allowed (platform default) but not combined with elevated privileges.