Sora 2 Pro
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: poyo-sora-2-pro Version: 1.0.0 The skill bundle is a standard API wrapper for the PoYo AI Sora 2 Pro video generation service. It contains a shell script (scripts/submit_sora_2_pro.sh) that uses curl to send JSON payloads to a legitimate-looking endpoint (api.poyo.ai) and documentation (SKILL.md, references/api.md) explaining how to interface with the service. No evidence of malicious intent, data exfiltration, or prompt injection was found; the code's behavior is entirely consistent with its stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A submitted payload can start a PoYo generation job and may consume account credits or process provided prompts and image URLs.
The skill exposes a shell/curl helper that sends user-provided JSON to the generation endpoint. This is central to the skill, but the payload can create an external video job.
Use `scripts/submit_sora_2_pro.sh` to submit a raw JSON payload from the shell.
Review and confirm the final payload, selected model, duration, image URLs, and expected cost before submission.
Anyone with the API key could submit jobs against the user's PoYo account.
The helper obtains a PoYo API key from the environment or a command-line argument and sends it as a Bearer token to PoYo. This is expected for the API, but it is sensitive account authority.
api_key="${POYO_API_KEY:-${1:-}}" ... -H "Authorization: Bearer $api_key"Prefer setting POYO_API_KEY in a secure environment variable, avoid passing the key directly on the command line, and rotate the key if it is exposed.
Task results or status data may be sent to the callback URL supplied in the request.
The API supports optional webhook callbacks, which create an additional external data flow if included in the payload.
`callback_url` (string, optional) — Webhook callback URL for result notifications ... PoYo sends a POST callback when the task reaches `finished` or `failed`.
Use callback URLs only when needed, choose trusted endpoints, and avoid including sensitive data in callbacks unless the endpoint is secured.