Z Image API

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward PoYo image-generation helper that discloses its external API use and API-key requirement.

Install only if you are comfortable sending image prompts and payload contents to PoYo. Keep POYO_API_KEY in a trusted environment variable, avoid putting sensitive data in prompts or callback URLs, and review payloads before submission because API calls may consume credits.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 81% confidence
Finding: The skill advertises use of shell tooling (`curl`) and a submission script while not declaring corresponding permissions, which creates a mismatch between the skill's stated trust boundary and its actual execution capabilities. That can lead to unexpected command execution and external network access in environments that rely on permission metadata for policy enforcement or user awareness.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to send Bearer-authenticated requests containing user prompts to an external service using `POYO_API_KEY`, but it does not provide any warning about third-party data transfer, retention, or credential handling. This is dangerous because users may unknowingly transmit sensitive prompts or metadata off-platform, and developers may expose or misuse API credentials without clear safeguards.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal