Back to skill

Security audit

Poyo Generate Lyrics

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward PoYo lyrics-generation helper that sends user prompts to PoYo as its disclosed core function.

Install only if you are comfortable sending lyric prompts to PoYo. Keep POYO_API_KEY private, avoid confidential or personal content in prompts, use only callback URLs you control, and review PoYo pricing/retention expectations before high-volume use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill declares operational shell capability via `curl` in metadata but does not expose any explicit permission boundary or user-consent mechanism in the skill file. This creates a real risk that an agent can initiate outbound network actions from shell without a clearly declared execution scope, increasing the chance of unintended API calls or misuse in environments that rely on declared permissions for policy enforcement.

External Transmission

Medium
Category
Data Exfiltration
Content
---
name: poyo-generate-lyrics
description: Generate song lyrics on PoYo / poyo.ai via `https://api.poyo.ai/api/generate/submit`; use for `generate-lyrics`, lyric drafts, verses and choruses, theme-based songwriting, mood or genre guidance, music-generation preparation, callbacks, and music detail retrieval.
metadata: {"openclaw":{"homepage":"https://poyo.ai/models/generate-lyrics","requires":{"bins":["curl"],"env":["POYO_API_KEY"]},"primaryEnv":"POYO_API_KEY"}}
---
Confidence
88% confidence
Finding
https://api.poyo.ai/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.