Dlazy Image Generate

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud image-generation skill using a third-party dLazy CLI, with manageable risks around API keys, uploads, costs, and broad activation wording.

Install only if you trust dLazy and are comfortable sending prompts and any referenced local media files to its cloud service. Prefer explicit invocation and confirmation before running generation, review the external CLI before installing a latest-version package, and avoid using sensitive files or long-lived API keys unless necessary.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger keywords are very broad, generic terms for image creation such as '生成图片', '画图', and '文生图'. In an agent environment, overly broad triggers can cause the skill to activate during ordinary conversation or in contexts where the user did not intend to invoke an external CLI/API workflow, increasing the chance of unintended network calls, credential use, or file handling.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger phrases (for example, 'generate image' and 'draw picture') are broad, natural-language requests that are likely to appear in ordinary user conversations. Because this skill can install or invoke an external CLI and transmit prompts or files to remote services, accidental activation could cause unintended command execution, data transfer, or credential-dependent API usage.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal