Security audit

Poyo Gemini 3 1 Flash Tts

Security checks across malware telemetry and agentic risk

Overview

This is a coherent PoYo text-to-speech helper that only submits user-prepared audio-generation payloads to the disclosed PoYo API when explicitly used.

Install this only if you intend to use PoYo TTS. Keep POYO_API_KEY server-side, avoid sending private or regulated text unless PoYo is approved for that data, and only use callback_url values that point to trusted HTTPS endpoints you control.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The reference documents use of a user-supplied `callback_url` that will receive task state and result notifications, but it does not explicitly warn that task metadata and potentially result URLs will be transmitted to an external endpoint. In a skill context, this can lead to unintentional data disclosure or SSRF-style misuse if downstream implementations accept arbitrary callback targets without validation or user consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.