registry  /  evolink-krea-2-turbo  /  1.0.0

evolink-krea-2-turbo@1.0.0

EvoLink API examples and agent skill for Krea 2 Turbo Image Generation.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 32.2 KB of source, external domains: api.evolink.ai, curl.se, evolink.ai, github.com, stedolan.github.io

Source & flagged code

4 flagged · loading source
bin/cli.jsView file
6const path = require('path'); L7: const { execSync, spawnSync } = require('child_process'); L8: const readline = require('readline');
High
Child Process

Package source references child process execution.

bin/cli.jsView on unpkg · L6
456try { L457: const https = require('https'); L458: const result = spawnSync(process.execPath, [ L459: '-e', L460: `const https=require('https');const r=https.request('https://api.evolink.ai/v1/credits',{method:'GET',headers:{'Authorization':'Bearer ${key.replace(/'/g, "\\'")}'}, timeout:10000}... L461: ], { encoding: 'utf8', stdio: 'pipe', timeout: 15000 });
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

bin/cli.jsView on unpkg · L456
6const path = require('path'); L7: const { execSync, spawnSync } = require('child_process'); L8: const readline = require('readline'); ... L20: // ── Package root (resolve relative to this script) ─────────────────────────── L21: const PKG_ROOT = path.resolve(__dirname, '..'); L22: // krea-2-turbo-image — folder name under <skills-dir>/ where this skill installs (kebab-case, matches _meta.json slug) L23: const SKILL_SLUG = 'krea-2-turbo-image'; L24: const PKG_JSON = JSON.parse(fs.readFileSync(path.join(PKG_ROOT, 'package.json'), 'utf8')); L25: const PKG_VERSION = PKG_JSON.version; L26: const PKG_NAME = PKG_JSON.name; L27: const INSTALL_KEY_URL = 'https://evolink.ai/dashboard/keys?utm_source=skill&utm_medium=install&utm_campaign=krea-2-turbo-image'; L28:
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

bin/cli.jsView on unpkg · L6
examples/python/complete_flow.pyView file
path = examples/python/complete_flow.py kind = build_helper sizeBytes = 1674 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

examples/python/complete_flow.pyView on unpkg

Findings

2 High5 Medium4 Low
HighChild Processbin/cli.js
HighCommand Output Exfiltrationbin/cli.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencebin/cli.js
MediumShips Build Helperexamples/python/complete_flow.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings