Security audit

Poyo Gpt 5 4

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed PoYo GPT-5.4 API helper that uses a user-provided API key and optional curl script, with no hidden persistence or destructive behavior found.

Install this only if you intend to use PoYo for GPT-5.4 chat completions. Keep POYO_API_KEY server-side, review payloads before running the helper script, and avoid invoking the skill for ordinary coding or summarization unless you actually want content sent to PoYo.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The activation rules are broad enough to match generic tasks like text generation, planning, reasoning, summarization, and code assistance, not just PoYo-specific chat completions. This can cause the skill to activate in unrelated contexts and steer data or prompts toward an external API integration path, increasing the chance of unnecessary external transmission or misuse of secrets.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.