Skills
skills/evolinkai/image-generation-skill-for-openclaw/evolink-image/Gen Agent Trust Hub

evolink-image

Pass

Audited by Gen Agent Trust Hub on Mar 2, 2026

Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [PROMPT_INJECTION]: The skill ingests untrusted data in the form of user prompts and external image URLs, creating a surface for indirect prompt injection.
  • Ingestion points: The generate_image tool in SKILL.md accepts prompt and image_urls parameters.
  • Boundary markers: The skill does not define specific delimiters or instructions to ignore embedded commands in the input data.
  • Capability inventory: Includes network requests to the EvoLink API and file system interactions via the upload_file and delete_file tools.
  • Sanitization: No internal sanitization logic for input strings is present in the skill files.
  • [EXTERNAL_DOWNLOADS]: Instructions in README.md and SKILL.md guide the user to download and execute the @evolinkai/evolink-media MCP server from npm using the npx command. This is a vendor-owned package.
  • [COMMAND_EXECUTION]: The provided scripts/evolink-image-gen.sh utility script executes shell commands like curl and jq to facilitate API communication.
  • [DATA_EXFILTRATION]: User prompts and image data are transmitted to the vendor's API endpoints at api.evolink.ai and files-api.evolink.ai for processing.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 2, 2026, 08:30 AM