ClawHub

Hailuo 02 API

PassAudited by ClawScan on May 1, 2026.

Overview

This appears to be a straightforward PoYo Hailuo 02 video-generation helper, but it uses your PoYo API key and sends prompts or image URLs to PoYo.

This skill is reasonable to install if you intend to submit Hailuo 02 jobs through PoYo. Before use, configure POYO_API_KEY securely, review the final payload including model, duration, resolution, image URLs, and callback_url, and remember that submitted jobs may use your PoYo credits.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence
ASI03: Identity and Privilege Abuse
What this means

Anyone who obtains the API key could use the associated PoYo account or credits. Passing the key on the command line can also expose it through shell history or process listings.

Why it was flagged

The helper uses a PoYo API token for Bearer authentication. This is expected for the stated API integration, but the key authorizes job submission and the script also allows passing it as a command-line argument.

Skill content
api_key="${POYO_API_KEY:-${1:-}}" ... -H "Authorization: Bearer $api_key"
Recommendation

Prefer setting POYO_API_KEY securely in the environment rather than passing the key as an argument, and use a limited or revocable API key if PoYo supports it.

NoteHigh Confidence
ASI07: Insecure Inter-Agent Communication
What this means

Prompts, reference image URLs, and task notifications may leave the local environment and be handled by PoYo or by the configured callback endpoint.

Why it was flagged

The workflow sends prompts and optional image URLs to the external PoYo provider and can use a webhook callback. This is purpose-aligned, but it is a data-boundary users should understand.

Skill content
- `callback_url` (string, optional) — Webhook callback URL for result notifications
- `prompt` (string, required) — Generation prompt describing the desired video
- `image_urls` (string[], optional) — Reference image URLs for image-to-video generation
Recommendation

Avoid including sensitive prompts or private image URLs unless you are comfortable sending them to PoYo, and use callback URLs only for endpoints you control.