Dlazy Heygen Lipsync Speed

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed wrapper around a hosted dLazy lip-sync API, with a documentation inconsistency but no artifact-backed evidence of hidden or malicious behavior.

Before installing, understand that this uses a third-party dLazy CLI and cloud API: your prompts, parameters, and any video or audio files you pass may be uploaded to dLazy-hosted services, and login can save an API key locally. The main issue to check is documentation quality: the sample --prompt usage does not match the listed lip-sync options, so verify the CLI help before running tasks or passing sensitive files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The example command instructs users/agents to pass a `--prompt` argument that is not listed in the documented options for `dlazy heygen-lipsync-speed`. In a skill that explicitly uploads user inputs and local file paths to remote services, undocumented parameters create ambiguity about what data is accepted and transmitted, increasing the risk of unintended disclosure, misuse by agents, or invocation of hidden CLI behavior.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal