Security audit

Hailuo 02 API

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward PoYo video-generation helper that sends user-provided prompts and image URLs to PoYo using a PoYo API key.

Install this only if you intend to use PoYo for Hailuo 02 generation. Review payloads before submission, avoid secrets or private/internal image URLs in prompts or callback fields, and protect POYO_API_KEY because it can submit jobs on your PoYo account.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill advertises use of shell tooling (`curl` and a submission script) but does not declare corresponding permissions, creating a capability/permission mismatch. This can undermine least-privilege controls and make review and runtime enforcement harder, especially for a skill that transmits user-provided content and secrets to an external service.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill instructs sending prompts, images, and possibly callback URLs to a third-party API using bearer authentication, but it provides no user-facing disclosure that this data leaves the platform. Users may unknowingly transmit sensitive prompts, proprietary images, or metadata to an external vendor, creating privacy, confidentiality, and compliance risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.