Security audit

Poyo Gpt 5 5

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward PoYo GPT-5.5 chat-completions helper with disclosed API-key and curl requirements, though its trigger wording is broader than ideal.

Install this only if you intend to use PoYo for GPT-5.5 chat completions. Keep POYO_API_KEY server-side, review payloads before sending private prompts or code to PoYo, and avoid invoking it for ordinary coding, planning, or summarization unless you specifically want PoYo involved.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The activation criteria are very broad, covering generic coding help, reasoning, planning, summarization, and assistant workflow text. This can cause the skill to trigger for many ordinary tasks and unnecessarily route user data, prompts, or internal context into an external-provider workflow, increasing the chance of unintended data exposure or tool overuse.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.