Back to skill
Skillv1.3.0
VirusTotal security
Evolink Media — AI Video, Image & Music Generation · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:28 AM
- Hash
- 556c38b9f523005df15e58b6e1020473f0ff6ac2d7e076619b0c6c30b006eb8e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: evolink-media Version: 1.3.0 The `SKILL.md` file explicitly instructs the AI agent to use `curl` commands for file management (upload, list, delete) with the Evolink file hosting API when MCP tools are unavailable. These `curl` commands involve parameters such as `file=@/path/to/file.jpg`, `file_url`, and `file_id`. If the agent constructs these commands using unsanitized user input, it could lead to shell injection (e.g., arbitrary local file access or command execution via `file_path`) or Server-Side Request Forgery (SSRF) via `file_url`. While the `curl` commands are intended for legitimate interaction with the skill's own service (`files-api.evolink.ai`), the direct instruction to execute shell commands with potentially user-controlled arguments introduces a significant vulnerability, classifying it as suspicious rather than benign or malicious.
- External report
- View on VirusTotal