GPT-4o-image
Analysis
This is a straightforward PoYo image-generation API helper that uses a PoYo API key and sends user-provided payloads to PoYo, with no evidence of hidden persistence, exfiltration, or destructive behavior.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
Use `scripts/submit_gpt_4o_image.sh` to submit a raw JSON payload from the shell.
The skill exposes a shell/curl workflow that can submit arbitrary JSON payloads to the PoYo generation endpoint. This is purpose-aligned, but users should ensure the payload is intended before submission.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
api_key="${POYO_API_KEY:-${1:-}}" ... -H "Authorization: Bearer $api_key"The helper uses a PoYo API key as a Bearer token to submit requests. This is necessary for the stated PoYo integration, but it grants access to the user's PoYo account/API quota.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
`image_urls` (string[], optional) — Reference image URLs ... `callback_url` (string, optional) — Webhook callback URL for result notifications
The API workflow may send user-provided image URLs and callback destinations to an external provider. This is disclosed and expected for image editing/status notification, but it is still an external data flow.