ClawHub

Evolink Video — AI Video Generation (Sora, Kling, Veo 3, Seedance)

Security checks across malware telemetry and agentic risk

Overview

This skill coherently supports EvoLink video generation and discloses its API key, upload, and external-service behavior.

Install only if you are comfortable giving the skill an EvoLink API key and sending prompts, images, videos, and referenced URLs to EvoLink. Avoid sensitive or regulated media, delete hosted files when no longer needed, monitor credit usage, and consider reviewing or pinning the MCP package instead of blindly running the `@latest` setup command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document explicitly instructs users to obtain a publicly accessible `file_url` for uploaded images, but it does not clearly warn that uploaded content becomes internet-accessible and may expose sensitive images or metadata. In a video-generation workflow, users may upload private reference images, so omission of a prominent privacy warning materially increases the risk of unintended data disclosure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The file management section documents uploading local files, base64 data, and remote URLs to external Evolink endpoints but does not clearly warn users that local content and URL-referenced resources will be transmitted to a third-party service. In an agent skill context, this omission can cause unintentional exfiltration of sensitive local files or internal-only URLs if the agent is allowed to act on user-supplied paths or links.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal