Security audit

Poyo Gemini 3 5 Flash

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward PoYo Gemini API helper that discloses its API-key and network use, with only a minor caution that its activation wording is broader than ideal.

Install this only if you intend to use PoYo's Gemini 3.5 Flash API. Keep POYO_API_KEY in a server-side environment or secret manager, review payloads before sending, and avoid forwarding private messages, system prompts, or media unless your policy allows that data to be sent to PoYo.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The 'Use When' scope includes very broad categories such as coding assistance, summarization, structured responses, and chat integration, which are common tasks not specific to this provider skill. Overly broad matching can cause the agent to invoke this skill unnecessarily, increasing the chance of external data transmission to a third-party API and exposing prompts or sensitive context beyond what is needed.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.