ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Evolink Media — AI Video, Image & Music Generation

v1.3.0

AI video, image & music generation. 60+ models — Sora, Veo 3, Kling, Seedance, GPT Image, Suno v5, Hailuo, WAN. Text-to-video, image-to-video, text-to-image,...

3· 668·0 current·0 all-time
by@evolinkai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill name/description, declared primary credential (EVOLINK_API_KEY), and the SKILL.md all describe using Evolink generation endpoints or an MCP bridge. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
Runtime instructions stick to the generation workflow (use MCP tools, upload files, submit generation tasks, poll check_task). They do not instruct reading unrelated system files or additional environment variables. Use of base64 upload and file_url is explained and is appropriate for file uploads.
Install Mechanism
The skill is instruction-only (no install spec). It recommends bridging an MCP server by running an npm package via npx (@evolinkai/evolink-media) which will execute remote code from the npm registry/GitHub when run by the user. That pattern is expected for MCP integrations but carries the usual moderate risk of executing third-party code — the skill itself does not automatically install anything.
Credentials
Only EVOLINK_API_KEY is required and declared as the primary credential. That is proportionate to an API-based generation service. The SKILL.md does not access or request additional secrets or unrelated environment variables.
Persistence & Privilege
always is false and the skill is user-invocable. It does not request permanent presence or attempt to modify other skills or system-wide configs. Autonomous invocation (model invocation enabled) is the platform default and is not, by itself, a red flag here.
Assessment
This skill appears coherent and only needs an Evolink API key. Before installing: 1) Verify you trust evolink.ai and the @evolinkai npm package/GitHub repo referenced in the SKILL.md (review the package code if you can) because the MCP bridge guidance uses npx which runs remote code when executed. 2) Keep your EVOLINK_API_KEY secret and avoid placing it in public configs; follow Evolink's dashboard for key rotation if needed. 3) Be aware uploaded files may be sent to Evolink (files expire after 72 hours per the docs) — avoid uploading sensitive private data. 4) Confirm billing/quotas on evolink.ai so you don't receive unexpected charges. If you want stronger assurance, ask the publisher for the package source (the GitHub repo) and audit it before running the npx command.

Like a lobster shell, security has layers — review code before you run it.

latestvk975p4p9jjxzdkq1sc6hnry0ex81x33e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎨 Clawdis
EnvEVOLINK_API_KEY
Primary envEVOLINK_API_KEY

Comments