Dlazy Gpt 5.5
PassAudited by ClawScan on May 6, 2026.
Overview
The skill is a coherent dLazy cloud-model wrapper, but users should notice that it runs an external CLI, stores a dLazy API key, and sends prompts or selected media files to dLazy services.
This skill does not show artifact-backed malicious behavior. Before installing, confirm you trust the dLazy CLI package and service, understand that your prompts and selected files may be uploaded, and protect or revoke your dLazy API key as needed.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or running the skill may execute code from the dLazy npm package on the user's machine.
The skill relies on executing an external npm-distributed CLI. The package version is pinned and this is central to the skill's purpose, but the CLI code is not included in the submitted artifacts.
npx @dlazy/cli@1.0.9 <command> ... npm install -g @dlazy/cli@1.0.9
Use the pinned version, review the linked source/package before installing, and prefer npx if you do not want a persistent global CLI.
Anyone with access to the saved key could use the user's dLazy account or credits.
The skill requires a dLazy organization API key and can store it locally. This is expected for the SaaS integration, but the key is sensitive and may authorize paid API usage.
所有请求都需要 dLazy API key... 自动把 API key 写入本地 CLI 配置... `~/.dlazy/config.json` ... `DLAZY_API_KEY`
Only authenticate on trusted machines, protect the config file, and rotate or revoke the key from the dLazy dashboard if needed.
Private prompts or selected files may leave the local machine and be processed or hosted by dLazy.
The artifacts disclose that prompts, parameters, and user-specified local media files are sent to dLazy-hosted services.
你提供的提示词与参数会发送到 dLazy API(`api.dlazy.com`)... 本地文件路径会被 CLI 上传到 dLazy 媒体存储(`files.dlazy.com`)
Do not pass confidential prompts or media unless the dLazy service terms and data handling are acceptable.
The agent may steer the user to add credits to continue using the service.
The agent is instructed to direct users to a dLazy billing/credits page when balance is insufficient. This is service-related, but users should recognize it as a payment-related prompt.
如果执行结果返回 `code: "insufficient_balance"`... 您必须明确告知用户当前积分不足,并引导用户点击以下链接前往充值
Verify the billing URL and decide independently whether to purchase or add credits.