PoYo Grok Imagine API

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward PoYo video-generation helper that sends user-provided prompts and optional image URLs to PoYo, with no hidden persistence or unrelated behavior found.

Install only if you intend to submit Grok Imagine jobs to PoYo. Keep POYO_API_KEY private, avoid sensitive prompts or private image URLs unless you accept PoYo processing them, and use only trusted HTTPS callback URLs that you control.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The documentation encourages use of a user-supplied callback_url but does not warn that task metadata and results will be POSTed to an external endpoint under the caller's control. In an agent context, this can enable unintended exfiltration of generated content, task identifiers, or related metadata to arbitrary third-party infrastructure if the callback target is not validated or constrained.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal