ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Evolink Video — AI Video Generation (Sora, Kling, Veo 3, Seedance)

v2.0.1

AI video generation — Sora, Kling, Veo 3, Seedance, Hailuo, WAN, Grok. Text-to-video, image-to-video, video editing. 37 models, one API key.

2· 947·5 current·6 all-time
by@evolinkai·fork of @evolinkai/evolink-media
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name, description, declared endpoints, and required env var (EVOLINK_API_KEY) align with a text-/image-to-video generation service. No unrelated environment variables or binaries are requested.
Instruction Scope
SKILL.md instructs the agent to call Evolink APIs, optionally upload files, poll task status, and guide user prompts. File upload and polling behavior are appropriate for video generation. The instructions do suggest optionally installing/using an MCP npm package (npx @evolinkai/evolink-media) to enable MCP tools — that's a reasonable integration note but is external to the skill itself.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to write or execute. That minimizes disk-executed install risk. The README references a third-party npm MCP package for optional tooling, but the skill itself does not install anything automatically.
Credentials
Only one credential is required (EVOLINK_API_KEY) and it is justified by the described API calls. The SKILL.md explicitly cautions that the key is confidential. No other secrets or unrelated credentials are requested.
Persistence & Privilege
always is false and the skill does not request system-wide config paths or modify other skills. Model invocation is allowed (normal default) but not elevated. The skill does not request persistent presence or privileged system access.
Assessment
This skill appears coherent for video generation but before installing: 1) Verify the Evolink service (evolink.ai) and that the API key you provide is legitimate and has appropriate billing/permission settings; avoid giving long-lived or scope-broad keys when unnecessary. 2) Understand that uploaded reference images become publicly accessible URLs (they expire by default but still may be visible while active) — avoid uploading sensitive content. 3) If you plan to enable the optional MCP tools, review the referenced npm package (@evolinkai/evolink-media) before running npx to ensure you trust the package and its permissions. 4) Note the registry lists no source/homepage metadata; consider confirming the publisher or using an API key with limited privileges. 5) If you need greater assurance, ask the publisher for source/repo links or an official SDK/manifest to review; that would increase confidence in the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97922818e7hwqn878zhwck8q981xmk3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
OSmacOS · Linux · Windows
EnvEVOLINK_API_KEY
Primary envEVOLINK_API_KEY

Comments