Veo 3.1 API
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent PoYo video-generation API helper, but it will use your PoYo API key and send prompts, image URLs, and optional callback settings to PoYo.
This skill appears safe to install if you intend to use PoYo Veo 3.1. Before use, set POYO_API_KEY securely, avoid putting the API key in chat or command-line arguments, review any prompt/image URLs/callback_url before submission, and confirm you are comfortable with PoYo receiving that content and potentially charging for generated jobs.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked, the skill can submit video-generation jobs to PoYo using the user's account.
The skill exposes a shell helper that submits user-provided JSON to the PoYo generation API. This is expected for the stated purpose, but actual submissions may create external jobs or costs.
Use `scripts/submit_veo_3_1.sh` to submit a raw JSON payload from the shell.
Review the final payload, model choice, image URLs, and cost implications before submitting a job.
The key can authorize actions on the user's PoYo account and may be visible in command history or process listings if passed as an argument.
The helper uses a PoYo bearer API key, either from POYO_API_KEY or as a positional argument. This is necessary for the integration, but command-line API-key arguments can be more exposed than environment or secret-store usage.
api_key="${POYO_API_KEY:-${1:-}}" ... -H "Authorization: Bearer $api_key"Prefer setting POYO_API_KEY through a trusted environment or secret manager, use a limited-scope key if PoYo supports it, and avoid pasting the key into prompts or command examples.
If a callback URL is included, job notifications may be sent to that external URL.
The API supports sending job notifications to a callback URL. This is an expected provider workflow, but the destination URL should be trusted because it may receive task status or result information.
`callback_url` (string, optional) — Webhook callback URL for result notifications
Use only trusted HTTPS callback endpoints, or omit callback_url and poll task status manually when you do not need webhook delivery.