ClawHub

Dlazy Generate

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed dLazy CLI wrapper for cloud media generation, with expected risks around API credentials, remote uploads, and paid usage.

Install only if you are comfortable sending prompts and any referenced media files to dLazy services and storing or supplying a dLazy API key. Prefer the npx or DLAZY_API_KEY flow if you do not want a global CLI install or persistent local credentials, and watch for credit-consuming requests because the trigger wording is broad.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger keywords are overly broad and overlap with common user language such as '生成' and '创建图片、视频、音频', increasing the chance of accidental skill invocation. In this skill's context, unintended activation can cause external API calls, upload local media paths to a third-party service, consume paid credits, and route user content to remote systems without sufficiently explicit user intent.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The trigger keyword set is overly broad for a high-impact skill that installs and invokes an external CLI and may upload local media to third-party endpoints. A generic trigger like 'generate' can cause accidental activation during ordinary conversation, increasing the chance of unintended command execution, network calls, or prompting users into authentication flows.

Session Persistence

Medium
Category
Rogue Agent
Content
## Trigger Keywords

- generate
- create image, video, audio
- multimodal generation

## Authentication
Confidence
90% confidence
Finding
create image, video, audio - multimodal generation ## Authentication All requests require a dLazy API key. The recommended way to authenticate is: ````bash This runs a device-code flow (also works

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal