Hailuo 02 API
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who obtains the API key could use the associated PoYo account or credits. Passing the key on the command line can also expose it through shell history or process listings.
The helper uses a PoYo API token for Bearer authentication. This is expected for the stated API integration, but the key authorizes job submission and the script also allows passing it as a command-line argument.
api_key="${POYO_API_KEY:-${1:-}}" ... -H "Authorization: Bearer $api_key"Prefer setting POYO_API_KEY securely in the environment rather than passing the key as an argument, and use a limited or revocable API key if PoYo supports it.
Prompts, reference image URLs, and task notifications may leave the local environment and be handled by PoYo or by the configured callback endpoint.
The workflow sends prompts and optional image URLs to the external PoYo provider and can use a webhook callback. This is purpose-aligned, but it is a data-boundary users should understand.
- `callback_url` (string, optional) — Webhook callback URL for result notifications - `prompt` (string, required) — Generation prompt describing the desired video - `image_urls` (string[], optional) — Reference image URLs for image-to-video generation
Avoid including sensitive prompts or private image URLs unless you are comfortable sending them to PoYo, and use callback URLs only for endpoints you control.