Back to skill
Skillv1.0.0
ClawScan security
GPT Image 1.5 API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 10, 2026, 11:53 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements, instructions, and included script match its stated purpose (submitting PoYo image-generation jobs with curl and a POYO_API_KEY).
- Guidance
- This skill is coherent with its purpose, but before installing: ensure you trust PoYo (the API provider) and understand any billing tied to the API key; never paste secrets or sensitive images into payloads unless you accept sharing them with the provider; if you plan to use callback_url (webhooks), be aware that generated content and task metadata may be POSTed to that URL — use a secure endpoint you control. Store and rotate the POYO_API_KEY safely and limit its permissions where possible. Note the agent may invoke the skill autonomously per platform defaults; if you want to prevent that, disable autonomous invocation in agent settings.
Review Dimensions
- Purpose & Capability
- okName/description ask for submitting and tracking PoYo GPT Image 1.5 jobs; required binary is curl and the only required env var is POYO_API_KEY — both directly required to call the documented API endpoint. Nothing requested is unrelated to image generation.
- Instruction Scope
- okSKILL.md confines its behavior to building JSON payloads, submitting to https://api.poyo.ai/api/generate/submit, saving task_id, and polling or using callback_url. It references only the included references/api.md and the provided shell script; it does not instruct reading unrelated files or other environment secrets.
- Install Mechanism
- okNo install spec (instruction-only) and a small included shell script. Nothing is downloaded or written to disk by an installer; risk from install mechanism is minimal.
- Credentials
- okOnly POYO_API_KEY is required and it is used by the provided script and described API calls. No unrelated credentials, config paths, or broad secrets are requested.
- Persistence & Privilege
- okalways:false (default) and the skill does not attempt to modify other skills or system-wide settings. It can be invoked autonomously by the agent per platform defaults, which is expected for a service integration.