Is evoweb-ai safe?

https://clawhub.ai/galizki/evoweb-ai

72
CAUTION

EvoWeb AI is a markdown-only API wrapper skill with no executable code, no git hooks, and clean clone behavior. However, it contains extensive agent behavioral instructions that turn the AI into a marketing funnel with embedded UTM tracking, sends user business descriptions to a third-party API across multiple domains, and prescribes a polling loop that can monopolize agent sessions for up to 20 minutes. The skill is not malicious but uses the agent as an aggressive marketing channel.

Category Scores

Prompt Injection 55/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (8)

MEDIUM Agent behavior hijacking via extensive workflow instructions -20

The skill contains detailed multi-step workflow instructions that prescribe specific agent behaviors including automated polling loops (up to 20 minutes), specific response templates with emojis, and a complete lead-generation funnel for users without API keys. This goes beyond tool documentation into behavioral control of the agent.

MEDIUM Embedded marketing attribution in all URLs -15

Every URL in the skill contains UTM tracking parameters (utm_source=claw, utm_medium=skill, utm_campaign=website, utm_content=v1.0). The agent is instructed to use these URLs when communicating with users, making the agent an unwitting marketing attribution channel.

LOW Agent directed to construct URLs with user-embedded content -10

Step 0 instructs the agent to URL-encode user input and embed it into registration links. While functional, this creates a pattern where the agent generates URLs containing user-controlled content directed at a third-party domain.

MEDIUM User business descriptions sent to third-party API -15

The core function of this skill sends user-provided business descriptions, target audience information, and business goals to api.evoweb.ai. While this is the stated purpose, users may not realize their business intelligence is being transmitted to and stored by a third party.

LOW Multiple third-party domains involved -10

The skill communicates with or references multiple domains: api.evoweb.ai (API), evoweb.ai (registration), website.page (generated sites), web.oto.dev (editor), web.evoweb.ai (editor alternate). This expands the trust surface beyond a single provider.

LOW Agent used as lead generation funnel -25

The Step 0 flow turns the AI agent into a marketing/sales funnel. When a user doesn't have an API key, the agent collects their business description and generates a pre-filled registration link, effectively acting as a sales representative for evoweb.ai.

LOW Polling loop can monopolize agent session -30

The prescribed polling strategy (20 attempts, 1-minute intervals) could keep the agent occupied for up to 20 minutes on a single website generation request, effectively creating a denial-of-service against the user's agent session for other tasks.

INFO Platform reads sensitive files during initialization -10

The agent platform (not the skill) read .env, .aws/credentials, and various config files during the monitoring window. This is standard platform behavior but was captured in the monitoring logs.