evolink-nano-banana-2

This SKILL manifest appears coherent with its stated purpose: it requires an Evolink API key, sends user prompts and uploaded images to Evolink's documented endpoints, and recommends using a third-party MCP package to manage generation and file hosting. There is no explicit malicious code or obfuscation in the manifest itself. The primary risks are supply-chain and credential-forwarding: recommending npx installation of @evolinkai/evolink-media and instructing the user/agent to provide EVOLINK_API_KEY to MCP tooling means a third-party package will receive and use that key and handle user data. That transitive trust and the network-forwarding of user-supplied images/prompts are the main security concerns. I classify this as not overtly malicious but carrying moderate supply-chain/credential risk; operators should audit the referenced npm package and limit the API key scope (least privilege), and avoid uploading sensitive images unless the provider's policies are reviewed.