Evolink Image — AI Image Generation (GPT Image, Nano Banana 2, Seedream, GPT-4o)

The skill is classified as suspicious due to significant shell injection vulnerabilities and supply chain risks. The `SKILL.md` instructs the AI agent to execute `npx -y @evolinkai/evolink-media@latest`, which introduces a supply chain risk if the npm package is compromised. Furthermore, the `references/file-api.md` provides `curl` commands for file management that, if constructed by the AI agent using unsanitized user input, could lead to shell injection and arbitrary code execution. While these are critical vulnerabilities, there is no clear evidence of intentional malicious behavior such as data exfiltration or backdoor installation by the skill developer, aligning with the 'suspicious' classification for RCE risks without proof of malicious intent.