Dlazy Doubao Tts

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed wrapper around a cloud text-to-speech CLI; it uses a dLazy API key and sends requested text to dLazy, with no hidden or destructive behavior evident in the skill files.

Install only if you are comfortable using the external @dlazy/cli package and sending the text you provide to dLazy's hosted service. Prefer per-invocation DLAZY_API_KEY if you do not want a saved local credential, use the documented dry-run option when checking cost, and be careful with broad requests like 'generate speech' so private text is not sent unintentionally.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The trigger keywords include broad phrases like 'text to speech' and 'generate speech', which can cause unintended skill invocation in normal conversation. In this skill’s context, accidental invocation could send user-provided text to a third-party SaaS API and potentially incur costs or expose sensitive content without clear intent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal