Back to skill
Skillv1.0.0
ClawScan security
Nano Banana · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 12:08 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its stated purpose (submitting image-generation jobs to PoYo via api.poyo.ai), requests only the expected API key and curl, and contains only a small helper script and reference docs.
- Guidance
- This skill appears to do what it says: submit image-generation or edit jobs to PoYo. Before installing: 1) Ensure POYO_API_KEY is obtained from the official PoYo dashboard and that its permissions are appropriate; 2) Do not pass the API key on the command line (avoid giving it as the script's first argument) because it can be visible to other processes—use the POYO_API_KEY env var instead; 3) If you use webhook callback_url, make sure the receiving endpoint is trusted and can safely accept results (it may receive image assets or user-provided content); 4) Review rate limits, costs, and privacy policy on poyo.ai; 5) If you need higher assurance, inspect network traffic or run the script in an isolated environment first. The script has minor argument-handling quirks but nothing that indicates malicious intent.
Review Dimensions
- Purpose & Capability
- okName/description match the runtime artifacts: SKILL.md, references/api.md, and a shell helper all target https://api.poyo.ai/api/generate/submit. Requested binary (curl) and primary env var (POYO_API_KEY) are appropriate for calling the PoYo API.
- Instruction Scope
- okInstructions are narrowly scoped to building/submitting JSON payloads, saving task_id, and polling or using a callback_url. They do not instruct the agent to read unrelated files, other env vars, or send data to unexpected endpoints.
- Install Mechanism
- okThere is no install spec (instruction-only) and only a small shell script is included. No downloads from external/opaque URLs or package installs are present.
- Credentials
- noteOnly POYO_API_KEY is required which is proportional. Caution: the included script accepts the API key as a command-line argument (first positional), which can expose the key in process listings; prefer setting POYO_API_KEY in the environment. Also verify the API key scope/permissions and obtain it from the official dashboard.
- Persistence & Privilege
- okThe skill is not always-enabled and uses the platform default (agent invocation allowed). It does not request persistent system-wide privileges or modify other skills' configurations.