ClawHub

Dlazy Banana2

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed wrapper for a third-party image generation CLI, but users should understand that it can store a dLazy API key locally and upload referenced files to dLazy servers.

Install only if you intend to use dLazy for image generation. Prefer npx or review the @dlazy/cli source before global installation, avoid passing sensitive local files unless you want them uploaded to dLazy, and use DLAZY_API_KEY or rotate/revoke the saved key if you no longer trust the local configuration.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
77% confidence
Finding
Overly broad trigger keywords can cause the agent to invoke this skill unexpectedly for ordinary conversation about image generation or editing. In this skill, accidental invocation is more concerning because use of the CLI may lead to network requests, cloud uploads of local files, and potential billing against the user's dLazy account.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents writing API keys to local configuration and uploading local files to remote endpoints, but it does not present a clear user-facing warning at the point of use. This increases the risk of users unintentionally persisting credentials or sending sensitive local content to a third-party SaaS service.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger keywords are broad and loosely scoped (for example, generic phrases like "generate image, edit image" and "text to image, image to image"), which can cause the skill to activate in contexts where the user did not specifically intend to use this third-party tool. In this skill, unintended activation is more risky because invocation can lead to network calls, local file uploads, and use of persisted API credentials, increasing the chance of accidental data disclosure or unexpected external actions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal