ClawHub
Back to skill

Security audit

Evolink Music — AI Music Generation (Suno v4/v4.5/v5)

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Evolink music-generation integration; its main risk is that user audio may be uploaded to Evolink and exposed through temporary public links.

Install only if you are comfortable giving Evolink an API key and sending prompts, audio files, base64 audio, or referenced URLs to Evolink. Avoid uploading private, unreleased, licensed, or internal audio unless you intentionally accept temporary public-link exposure, and confirm file IDs before deleting hosted files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document explicitly instructs users to upload audio files to a hosting service and then use the returned `file_url` as a publicly accessible link, but it does not warn that uploaded content becomes public or discuss the privacy implications. In a music workflow, users may upload unreleased tracks, licensed stems, voice recordings, or other sensitive audio, so omission of a privacy warning can easily lead to unintended disclosure.

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
- **MCP tools + API key ready:** "Hi! I'm your AI music studio — Suno v4 through v5 ready. What would you like to create?"
- **MCP tools + no API key:** "You'll need an EvoLink API key — sign up at evolink.ai. Ready to go?"
- **No MCP tools:** "MCP server isn't connected yet. Want me to help set it up? I can still manage files via the hosting API."

Keep the greeting concise — just one question to move forward.
Confidence
76% confidence
Finding
tools:*

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal