Dlazy Happyhorse1 0
AdvisoryAudited by Static analysis on May 2, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or running the skill means trusting the @dlazy/cli npm package to handle local files, credentials, and API calls as documented.
The skill relies on an external npm CLI package rather than included code. The version is pinned and source/package links are disclosed, so this is a supply-chain notice rather than a concern.
"install":"npm install -g @dlazy/cli@1.0.9","installAlternative":"npx @dlazy/cli@1.0.9"
Review the referenced GitHub/npm package before installing, and prefer the pinned version shown by the skill.
Anyone or any process with access to the stored API key could potentially use your dLazy organization account and consume credits until the key is revoked.
The skill requires a dLazy organization API key and can persist it locally. This is expected for the service, but it is sensitive account authority.
All requests require a dLazy API key... automatically saves your API key... ~/.dlazy/config.json... DLAZY_API_KEY
Use a dedicated dLazy key if possible, keep the config file private, and rotate or revoke the key from the dLazy dashboard if you no longer need it.
Sensitive prompts, images, videos, or audio passed to the command will leave the local machine and be processed/stored by dLazy's hosted service.
The skill clearly discloses that user prompts and user-selected local media are sent to external dLazy provider endpoints for processing.
Prompts and parameters you provide are sent to the dLazy API endpoint (`api.dlazy.com`) ... Any local file paths you pass ... are uploaded to dLazy's media storage (`files.dlazy.com`)
Only pass media and prompts you are comfortable uploading to dLazy, and review the service terms or privacy policy before using sensitive content.