evolink-video
Pass
Audited by Gen Agent Trust Hub on Mar 31, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill includes a bash script
scripts/evolink-video-gen.shthat usescurlandjqto interact with the Evolink API. This script correctly employsjqto sanitize and escape user-provided prompt strings before they are included in the JSON payload, mitigating potential injection risks. - [EXTERNAL_DOWNLOADS]: The skill documentation recommends bridging an MCP server using
npx -y @evolinkai/evolink-media@latest. This refers to an official package provided by the skill vendor (evolinkai) to enable enhanced tool capabilities for the agent. - [SAFE]: An analysis of the indirect prompt injection surface was conducted. The skill ingests untrusted data in the form of user prompts and image URLs (ingestion points) and possesses the capability to perform network operations through its scripts (capability inventory). However, the implementation uses robust sanitization via
jqto prevent user input from compromising the shell environment or API requests (sanitization). Additionally, input is constrained by the expected data types in the skill's defined parameters (boundary markers).
Audit Metadata