Hailuo 02 API
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: hailuo2 Version: 1.0.0 The skill bundle provides a standard interface for interacting with the PoYo AI Hailuo 02 video generation API. It includes a shell script (scripts/submit_hailuo_02.sh) that uses curl to submit JSON payloads to the official API endpoint (https://api.poyo.ai/api/generate/submit) using a Bearer token. The instructions and documentation are consistent with the stated purpose and do not exhibit any signs of data exfiltration, malicious execution, or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who obtains the API key could use the associated PoYo account or credits. Passing the key on the command line can also expose it through shell history or process listings.
The helper uses a PoYo API token for Bearer authentication. This is expected for the stated API integration, but the key authorizes job submission and the script also allows passing it as a command-line argument.
api_key="${POYO_API_KEY:-${1:-}}" ... -H "Authorization: Bearer $api_key"Prefer setting POYO_API_KEY securely in the environment rather than passing the key as an argument, and use a limited or revocable API key if PoYo supports it.
Prompts, reference image URLs, and task notifications may leave the local environment and be handled by PoYo or by the configured callback endpoint.
The workflow sends prompts and optional image URLs to the external PoYo provider and can use a webhook callback. This is purpose-aligned, but it is a data-boundary users should understand.
- `callback_url` (string, optional) — Webhook callback URL for result notifications - `prompt` (string, required) — Generation prompt describing the desired video - `image_urls` (string[], optional) — Reference image URLs for image-to-video generation
Avoid including sensitive prompts or private image URLs unless you are comfortable sending them to PoYo, and use callback URLs only for endpoints you control.