Dlazy Keling Tts

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed wrapper for a third-party text-to-speech CLI and does not show hidden or destructive behavior.

Install this only if you are comfortable using dLazy's hosted service for TTS. Treat prompts and any referenced files as data sent to dLazy, review the @dlazy/cli package/source before global installation, and prefer the DLAZY_API_KEY environment variable if you do not want the API key saved in the local config file.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger keyword "generate speech" is broad enough to match many unrelated user requests, which can cause an agent to invoke this external SaaS-backed skill in contexts the user did not specifically intend. Because the skill sends prompts and possibly referenced files to remote endpoints, overbroad invocation increases the chance of unintended data disclosure and unnecessary third-party API calls.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger keyword "text to speech" is highly generic and may cause this skill to be selected for broad classes of requests where the user has not consented to using the dLazy service. In this skill's context, that matters because invocation can transmit user prompts and file references to external API and storage endpoints, turning a routing mistake into a privacy and data-handling issue.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal