Evolink Video — AI Video Generation (Sora, Kling, Veo 3, Seedance)
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: evolink-video Version: 2.0.1 The skill is classified as suspicious due to the instruction to the AI agent to execute remote code via `npx -y @evolinkai/evolink-media@latest` for setting up the MCP server, as seen in `SKILL.md`. While this is plausibly needed for the skill's functionality, it represents a significant supply chain risk by fetching and executing code from an external registry. Additionally, the `references/file-api.md` documentation provides `curl` commands demonstrating direct shell and network access for uploading local files, which, while intended for reference images, highlights risky capabilities that could be misused if the agent were compromised or tricked.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Creating or retrying videos may consume EvoLink credits.
The generation tool can create paid account activity by reserving or charging credits. This is central to the skill's purpose, but users should notice that generation is account-impacting.
`generate_video` ... `POST /v1/videos/generations` ... `usage.credits_reserved` | Credits charged for this task
Keep video generation user-directed, and use cost estimation or explicit confirmation before expensive models, high quality settings, or repeated retries.
Anyone or any connected tool using the key can act against the EvoLink account within that key's permissions, including generation and file-management actions.
The skill requires an EvoLink API key and makes it available for service calls. This is expected for the integration, but it is still a sensitive account credential.
`EVOLINK_API_KEY` authenticates all requests. Injected by OpenClaw automatically. Treat as confidential.
Use a dedicated EvoLink API key if possible, rotate it if exposed, and monitor account usage or billing.
Running the setup may execute updated external MCP code that was not part of this instruction-only artifact set.
The recommended MCP setup downloads and runs the latest npm package rather than a pinned version. This is disclosed and purpose-aligned, but future package changes would affect what code handles the API key and requests.
`npx -y @evolinkai/evolink-media@latest`
Review the referenced npm/GitHub package, prefer pinning a known version, and only run the MCP server from a trusted environment.
Sensitive prompts, reference images, or generated video URLs may be processed or accessible through EvoLink during the documented retention windows.
The skill clearly discloses that user prompts and media leave the local environment and are retained remotely for limited periods. This is necessary for the service, but it is a privacy boundary.
Prompts and images are sent to `api.evolink.ai`. Uploaded files expire in **72h**, result URLs in **24h**.
Avoid uploading confidential, personal, or regulated media unless you are comfortable with EvoLink processing it; delete hosted files when no longer needed.