Sora 2 Pro
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward PoYo video-generation helper, but it uses your PoYo API key to submit prompts, image URLs, and optional webhook callbacks to PoYo.
Before installing, make sure you are comfortable giving the skill access to POYO_API_KEY and sending generation prompts, image URLs, and optional callback URLs to PoYo. Prefer a secure environment variable for the key, review each payload before submission, and confirm any credit or billing impact.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A submitted payload can start a PoYo generation job and may consume account credits or process provided prompts and image URLs.
The skill exposes a shell/curl helper that sends user-provided JSON to the generation endpoint. This is central to the skill, but the payload can create an external video job.
Use `scripts/submit_sora_2_pro.sh` to submit a raw JSON payload from the shell.
Review and confirm the final payload, selected model, duration, image URLs, and expected cost before submission.
Anyone with the API key could submit jobs against the user's PoYo account.
The helper obtains a PoYo API key from the environment or a command-line argument and sends it as a Bearer token to PoYo. This is expected for the API, but it is sensitive account authority.
api_key="${POYO_API_KEY:-${1:-}}" ... -H "Authorization: Bearer $api_key"Prefer setting POYO_API_KEY in a secure environment variable, avoid passing the key directly on the command line, and rotate the key if it is exposed.
Task results or status data may be sent to the callback URL supplied in the request.
The API supports optional webhook callbacks, which create an additional external data flow if included in the payload.
`callback_url` (string, optional) — Webhook callback URL for result notifications ... PoYo sends a POST callback when the task reaches `finished` or `failed`.
Use callback URLs only when needed, choose trusted endpoints, and avoid including sensitive data in callbacks unless the endpoint is secured.