Back to skill

Security audit

Poyo Kling 2 6 Motion Control

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward PoYo API helper for motion-control video generation, with expected third-party data transfer and no hidden or destructive behavior found.

Install only if you are comfortable sending prompts and image/video URLs to PoYo using your POYO_API_KEY. Avoid sensitive personal or proprietary media unless PoYo's terms and data handling are acceptable for your use case.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly requires a PoYo API key and is designed to upload user-provided images and videos to an external service, but it does not warn users about that data transfer in the description or visible usage guidance. This creates a meaningful consent and privacy risk because users may provide sensitive media without understanding it will leave the local environment and be processed by a third party.

External Transmission

Medium
Category
Data Exfiltration
Content
---
name: poyo-kling-2-6-motion-control
description: Kling 2.6 Motion Control on PoYo / poyo.ai via `https://api.poyo.ai/api/generate/submit`; use for `kling-2.6-motion-control`, motion transfer, character animation, orientation control, and 720p/1080p output.
metadata: {"openclaw": {"homepage":"https://poyo.ai/models/kling-2-6-motion-control", "requires": {"bins": ["curl"], "env": ["POYO_API_KEY"]}, "primaryEnv": "POYO_API_KEY"}}
---
Confidence
88% confidence
Finding
https://api.poyo.ai/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.