Back to skill

Security audit

Poyo Flux 2 Api

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward PoYo image-generation API helper, with expected third-party data sharing but no hidden or destructive behavior found.

Install only if you intend to use PoYo's external API. Do not submit secrets, confidential prompts, private internal URLs, sensitive images, or regulated data unless you are comfortable sharing them with PoYo under its policies. Prefer setting POYO_API_KEY as an environment variable instead of passing it on the command line.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly instructs sending prompts, image URLs, and possibly edited media to a third-party API using a bearer token, but it provides no user-facing consent, privacy warning, or data-handling caveat. This creates a real data-exposure risk because users may unknowingly transmit sensitive prompts, private images, or internal URLs to an external service.

External Transmission

Medium
Category
Data Exfiltration
Content
---
name: poyo-flux-2
description: Use PoYo AI Flux 2 through the `https://api.poyo.ai/api/generate/submit` endpoint. Use when a user wants to generate or edit media with this model family, prepare PoYo-compatible payloads, submit jobs, or poll task status for `flux-2-pro`, `flux-2-pro-edit`, `flux-2-flex`, `flux-2-flex-edit`.
metadata: {"openclaw": {"homepage":"https://poyo.ai/models/flux-2", "requires": {"bins": ["curl"], "env": ["POYO_API_KEY"]}, "primaryEnv": "POYO_API_KEY"}}
---
Confidence
80% confidence
Finding
https://api.poyo.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
## Quick workflow

1. Choose the right model id for the requested output.
2. Build the request body for `POST https://api.poyo.ai/api/generate/submit`.
3. Send Bearer-authenticated JSON with `Authorization: Bearer <POYO_API_KEY>`.
4. Save the returned `task_id`.
5. Poll unified task status or wait for `callback_url` notifications.
Confidence
91% confidence
Finding
https://api.poyo.ai/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.