PoYo Wan 2.6 API
PassAudited by ClawScan on May 1, 2026.
Overview
This skill is a straightforward PoYo Wan 2.6 video-generation helper that uses your PoYo API key to submit user-provided payloads to the documented PoYo endpoint.
Install this only if you intend to submit Wan 2.6 generation jobs to PoYo. Store POYO_API_KEY securely, avoid passing the key directly on the command line, and review payloads before submission because prompts, media URLs, and optional callback URLs are sent to PoYo. The provided artifacts do not show hidden persistence, unrelated data access, or deceptive behavior.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can submit PoYo generation requests under the user's PoYo credential when invoked for this skill.
The helper uses a PoYo API key as a bearer token, either from the environment or from the first command-line argument, to submit jobs to PoYo.
api_key="${POYO_API_KEY:-${1:-}}" ... -H "Authorization: Bearer $api_key"Use a scoped PoYo API key if available, prefer setting POYO_API_KEY through a secret/environment mechanism rather than passing it on the command line, and review the payload before submission.
Whatever prompt, media URLs, model parameters, and callback settings are in the payload will be sent to PoYo.
The script posts a raw JSON payload from a file or stdin to the PoYo generation endpoint. This is purpose-aligned, but the payload contents are user-controlled.
body=$(cat "$payload") ... curl -sS https://api.poyo.ai/api/generate/submit ... -d "$body"
Check generated JSON before submitting, especially prompts, image/video URLs, duration, resolution, and callback_url fields.
If a callback URL is included, task results or status notifications may be sent to the specified endpoint.
The documented payload can include a webhook callback URL, causing PoYo to send task status/result notifications to that URL.
`callback_url` (string, optional) — Webhook callback URL for result notifications
Only use callback URLs you control and trust, or omit callback_url and poll status manually.