Back to skill

Security audit

Poyo Video Background Removal

Security checks across malware telemetry and agentic risk

Overview

This skill is a narrowly scoped PoYo video background-removal helper that discloses its API use and does not show hidden, persistent, or destructive behavior.

Before installing, make sure you are comfortable sending the source video URL and any callback URL to PoYo. Keep POYO_API_KEY server-side, avoid signed/private/internal URLs unless approved, prefer temporary least-privilege URLs, and do not log API keys, raw authorization headers, task IDs, or generated output URLs unless your policy permits it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation instructs users to send public video URLs and optional callback URLs to a third-party service, but it does not explicitly warn that this shares potentially sensitive media locations and webhook endpoints with an external provider. In a skill context, users may assume hosted URLs are routine inputs and overlook privacy, access-control, or metadata exposure risks, especially if URLs embed tokens or point to non-public infrastructure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.