ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Grok Imagine API

v1.0.0

Use PoYo AI Grok Imagine Video for short text-to-video and image-to-video generation with motion-style controls through the `https://api.poyo.ai/api/generate...

0· 245·0 current·0 all-time
by@coolhackboy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (text-to-video/image-to-video via PoYo) matches required artifacts: curl, POYO_API_KEY, API endpoint and example payloads. Nothing requested (binaries, env, paths) is unrelated to the stated purpose.
Instruction Scope
SKILL.md confines actions to building/submitting JSON payloads to https://api.poyo.ai/api/generate/submit, saving task_id, and polling or using callbacks. It does not instruct reading unrelated files, sweep environment values, or exfiltrate data to other endpoints.
Install Mechanism
Instruction-only skill with no install spec; includes a small shell script that uses curl. No downloads, archives, or package installs — low install risk.
Credentials
Requires a single API key (POYO_API_KEY), which is appropriate and used as the Bearer token. No other credentials, config paths, or broad secrets are requested.
Persistence & Privilege
Does not request always:true or any persistent/privileged system changes. The skill is user-invocable and may be called autonomously by the agent (platform default) but that is expected for a client integration and not combined with other red flags.
Assessment
This skill will send whatever JSON (including any text or image URLs) you provide to api.poyo.ai using the POYO_API_KEY you supply. Before installing, confirm you trust PoYo and their privacy/usage policies, avoid putting sensitive secrets or private data in payloads, and if you use callback_url ensure your webhook endpoint is safe to receive external POSTs (don't expose internal-only endpoints). Using a scoped or revocable API key is good practice. The included shell script is simple and only posts to the documented PoYo endpoint with curl; there are no hidden endpoints or installers.

Like a lobster shell, security has layers — review code before you run it.

latestvk97154t9xx3pj7fvan44t376x182njvg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscurl
EnvPOYO_API_KEY
Primary envPOYO_API_KEY

Comments