Dlazy Jimeng I2v First

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud image-to-video wrapper, with expected API-key use and media uploads for that purpose.

Install only if you are comfortable sending prompts and selected image files to dLazy and storing or supplying a dLazy API key. Prefer npx for one-off use, review the CLI source if needed, and avoid invoking it on sensitive local media unless you intend to upload that file.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger keyword "image to video" is broad enough to match many generic user requests, increasing the chance this third-party skill is invoked unexpectedly. Because the skill sends prompts and local file paths to external services and may upload local media to remote infrastructure, overbroad triggering can cause unintended data disclosure or routing of user tasks to an external vendor without sufficiently explicit user intent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal