ClawHub

Evolink Media — AI Video, Image & Music Generation

Security checks across malware telemetry and agentic risk

Overview

This skill appears to provide disclosed Evolink media/file-hosting workflows, with expected third-party uploads that users should treat as public sharing.

Install only if you are comfortable sending selected media to Evolink and receiving public links. Do not upload secrets, confidential documents, regulated data, or private personal media unless you intend to share them, and review any generated curl command before execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs use of a public file-hosting service and says uploaded files become 'publicly accessible links,' but it does not give a prominent privacy/security warning about sensitive data exposure. Users may upload private images, audio, or video assuming normal assistant confidentiality, when the workflow actually transmits data to a third-party service and creates externally accessible URLs for up to 72 hours.

External Transmission

Medium
Category
Data Exfiltration
Content
### Upload a Local File

```bash
curl -X POST https://files-api.evolink.ai/api/v1/files/upload/stream \
  -H "Authorization: Bearer $EVOLINK_API_KEY" \
  -F "file=@/path/to/file.jpg"
```
Confidence
88% confidence
Finding
curl -X POST https://files-api.evolink.ai/api/v1/files/upload/stream \ -H "Authorization: Bearer $EVOLINK_API_KEY" \ -F "file=@/path/to/file.jpg" ``` ### Upload from URL ```bash curl -X POST htt

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal