Dlazy Gemini 3.1
AdvisoryAudited by Static analysis on May 6, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or running the CLI executes code from the external npm package on the user's machine.
The skill relies on an external npm CLI package that is not included in the provided artifact set. The version is pinned and the source/npm links are disclosed, so this is a supply-chain review note rather than a concern.
`npm install -g @dlazy/cli@1.0.9` ... `npx @dlazy/cli@1.0.9 <command>`
Review the linked GitHub/npm package before installation, keep the pinned version, and prefer one-off npx use if you do not want a persistent global binary.
A dLazy API key may allow use of the user's organization credits or service access if exposed.
The skill requires a service API key and stores or reads it from local configuration or an environment variable. This is expected for the dLazy service and is clearly disclosed.
All requests require a dLazy API key ... automatically saves your API key ... `~/.dlazy/config.json` ... `DLAZY_API_KEY`
Use a revocable key, protect the local config file, avoid sharing logs that contain keys, and rotate the key if you suspect exposure.
Prompts, documents, images, videos, audio, and generated outputs may leave the local machine and be handled by dLazy-hosted services.
The skill discloses that prompts and selected local media files are sent to dLazy-hosted endpoints. This is purpose-aligned for cloud inference, but it is a meaningful data-flow boundary.
Prompts and parameters you provide are sent to the dLazy API endpoint (`api.dlazy.com`) ... local file paths ... are uploaded to dLazy's media storage (`files.dlazy.com`)
Only pass files and prompts you are comfortable sending to dLazy, avoid secrets or regulated data unless permitted, and review the provider's terms and data-retention practices.