Dlazy Claude Opus 4.7
PassAudited by VirusTotal on May 6, 2026.
Overview
Type: OpenClaw Skill Name: dlazy-claude-opus-4-7 Version: 1.1.1 The skill is a standard wrapper for the dLazy service to provide access to Anthropic's Claude Opus 4.7 model. It utilizes a legitimate CLI tool (@dlazy/cli) and communicates with documented endpoints (api.dlazy.com and files.dlazy.com). The instructions provided to the AI agent are focused on error handling (authentication and billing) and align with the stated purpose of the skill. No evidence of data exfiltration beyond the intended file uploads for multimodal processing or malicious execution was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using this skill may make requests under your dLazy organization and could consume account credits.
The skill requires delegated dLazy account credentials and stores them locally, which is expected for this API wrapper but should be noticed because the key can authorize service use.
All requests require a dLazy API key. The recommended way to authenticate is: `dlazy login` ... automatically saves your API key to the local CLI config
Use a dedicated, revocable dLazy API key, verify the local config permissions, and rotate the key if you no longer use the skill.
Prompts and any media files you attach may leave your machine and be processed or hosted by dLazy.
The skill discloses that user prompts and selected local media files are sent to external dLazy services for processing.
Prompts and parameters you provide are sent to the dLazy API endpoint (`api.dlazy.com`) ... Any local file paths you pass to image / video / audio fields are uploaded to dLazy's media storage (`files.dlazy.com`)
Only pass files and prompt content you are comfortable sending to dLazy, and review dLazy’s service terms and data-handling policies before use.
Installing or running the skill depends on code from the external npm package.
The skill relies on an external npm CLI package. The version is pinned and provenance links are provided, but the package code itself is not part of the supplied artifacts.
`npm install -g @dlazy/cli@1.0.9` ... `npx @dlazy/cli@1.0.9 <command>`
Review the linked GitHub repository and npm package before installing; prefer the pinned version and avoid unreviewed upgrades.
The agent could send unintended upstream outputs or stdin content to the model if the command is invoked with broad pipe references.
The skill exposes CLI execution and broad pipe-reference inputs. This is central to its purpose, but it can pass upstream data into the external API if used carelessly.
**CRITICAL INSTRUCTION FOR AGENT**: Execute `dlazy claude-opus-4.7` to get the result. ... Any flag also accepts pipe references — `-`, `@N`, `@N.path`, `@*`, `@stdin`
Use explicit prompts and file paths where possible, and confirm before piping sensitive prior outputs or stdin into the command.