Flux 2 API

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward PoYo Flux 2 API helper that sends user-provided generation payloads to PoYo, with no hidden persistence or destructive behavior found.

Install only if you intend to use PoYo Flux 2 through PoYo's API. Keep POYO_API_KEY in an environment variable rather than passing it on the command line, review each payload before submission, avoid sensitive prompts or private/internal image URLs, and use callback URLs only for endpoints you control.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 80% confidence
Finding: The skill declares use of shell tooling (`curl`) via metadata and execution instructions, but there is no explicit permissions declaration or user-visible constraint around shell/network execution. This can cause the agent framework to underrepresent the skill's real capabilities, reducing transparency and increasing the risk of unintended command execution or data transfer.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs sending prompts, image URLs, and authentication credentials to a third-party API without warning the user that their content will leave the local environment. In an agent setting, this can lead to inadvertent disclosure of sensitive prompts, private image links, or business data to an external service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal