Back to skill

Security audit

Veo 3 1

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward PoYo video-generation API helper, with expected use of curl and a PoYo API key.

Install only if you intend to send video prompts, reference image URLs, and optional callback URLs to PoYo using your POYO_API_KEY. Avoid sensitive or private media unless you trust PoYo’s handling of that data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares shell-capable behavior via curl and a helper script but does not declare corresponding permissions or provide controls around command execution. This creates a transparency and policy-enforcement gap: agents may execute networked shell actions without users or orchestrators having an explicit permission signal to review or block.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs sending prompts, reference image URLs, and potentially callback-related metadata to an external third-party API using a bearer token, but it never warns the user that their content will leave the local environment. This is dangerous because users may unknowingly transmit sensitive prompts, private image links, or proprietary media inputs to an external service with its own retention and logging practices.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.