GPT Image 1.5 API

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward PoYo image-generation API helper whose network use and API-key requirement match its stated purpose.

Install only if you intend to use PoYo's API. Prefer POYO_API_KEY in an environment variable, review payloads before submission, and avoid sending confidential prompts, private image URLs, mask URLs, secrets in URLs, or untrusted callback URLs unless sharing them with PoYo is intended.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs sending Bearer-authenticated JSON to an external API but does not warn users that prompts, image URLs, and possibly sensitive content will be transmitted to a third-party service. This can lead to inadvertent disclosure of confidential data, especially because the workflow encourages direct submission using an API key.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal