ClawHub

Dlazy Banana Pro

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud image-generation wrapper, but users should be aware it sends prompts and chosen image files to dLazy and uses a stored API key.

Install only if you intend to use dLazy's hosted image-generation service. Prompts and any image paths you provide may be uploaded to api.dlazy.com or files.dlazy.com, and the CLI may store an API key locally. Consider using the npx form or DLAZY_API_KEY if you do not want a persistent global CLI or saved key, and avoid invoking the skill on private images unless you are comfortable sending them to dLazy.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger keywords include broad, everyday phrases such as generating or editing images, which can cause the skill to activate in contexts the user did not intend. In an agent environment, overly broad activation can lead to unintended execution of an external CLI, accidental transmission of prompts or local file paths to third-party services, and surprise use of authenticated API credentials.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger keywords are generic phrases like 'generate image', 'edit image', 'text to image', and 'image to image', which are likely to match many ordinary user requests unrelated to this specific tool. In an agent environment, this can cause over-invocation of the skill, unintentionally routing user prompts, local file references, and image inputs to an external SaaS API and potentially exposing sensitive data or causing unnecessary charges.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal