Dlazy Fun Asr

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed wrapper for a hosted transcription CLI, with a minor documentation version mismatch but no evidence of hidden or malicious behavior.

Before installing, confirm that @dlazy/cli@1.2.0 is the intended version despite the stale 1.0.9 prose. Use this skill only for audio/media you are comfortable uploading to dLazy, and treat the stored API key as a sensitive credential that can be rotated or revoked.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Low

Confidence: 94% confidence
Finding: The skill documentation says the CLI package is pinned to version 1.0.9, while the actual install metadata and examples pin 1.2.0. This inconsistency can mislead reviewers and users about what code will actually be installed, weakening supply-chain transparency and making security review or reproduction harder.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal