Back to skill
Skillv1.0.0
ClawScan security
Kling 3.0 video generation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 3:35 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its stated purpose (submitting Kling 3.0 jobs to PoYo via their API) and only requires curl plus a single POYO_API_KEY environment variable.
- Guidance
- This skill appears to do exactly what it claims: submit Kling 3.0 payloads to PoYo. Before installing, verify you trust the poyo.ai service and the homepage docs listed in the skill. Protect your POYO_API_KEY (provide only to agents you trust). Be cautious when including a callback_url in payloads—webhooks send results to the provided URL and could expose generated content or metadata to that endpoint. If you need stricter controls, run submissions manually or review payloads before sending. If you see unexpected network calls or additional env-var requests at runtime, stop and investigate.
Review Dimensions
- Purpose & Capability
- okName/description, declared dependency (curl), required env var (POYO_API_KEY), referenced API endpoint (api.poyo.ai), and the included shell submission script all align with a video-generation integration for PoYo. Nothing requested appears unrelated to the stated purpose.
- Instruction Scope
- okSKILL.md confines behavior to building/submitting JSON payloads to the documented PoYo endpoint and advising polling or webhook usage. It does not instruct reading other system files, scanning environment variables beyond POYO_API_KEY, or contacting unexpected endpoints.
- Install Mechanism
- okInstruction-only skill with a small shell script; no install spec or remote downloads. This minimizes disk writes and avoids arbitrary code installation.
- Credentials
- okOnly one credential is required (POYO_API_KEY) and it is the obvious and documented API key for the service. No additional unrelated secrets, keys, or config paths are requested.
- Persistence & Privilege
- okSkill is not always-enabled and uses default autonomous-invocation behavior. It does not request system-wide persistence or modify other skills' configurations.