ClawHub

Dlazy Kling Image O1

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed dLazy cloud image-generation skill that uses a third-party CLI, API key, and optional media uploads without evidence of hidden or destructive behavior.

Install only if you intend to use dLazy/Kling Image O1 and are comfortable sending prompts and selected images to dLazy. Prefer npx if you do not want a persistent global CLI, avoid passing sensitive local files, and rotate or revoke the dLazy API key from the dashboard if needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger keywords include very broad everyday phrases like '生成图片、编辑图片' and generic model names, which can cause the agent to invoke this skill in contexts the user did not specifically intend. Because this skill can upload local file paths and send prompts to external SaaS endpoints, accidental activation increases the chance of unintended data disclosure or unauthorized external API usage.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger keywords are broad enough to match common image-generation or image-editing requests, which can cause the agent to invoke this third-party SaaS skill in situations where the user did not clearly consent to using an external provider. Because this skill sends prompts and may upload local files to remote endpoints, overbroad routing increases the chance of unintended data disclosure and unexpected tool execution.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill acknowledges that local file paths provided to image fields are uploaded to remote storage, but this warning is buried in descriptive text and not prominently repeated before usage instructions and examples. In practice, an agent or user may follow the command examples without realizing that passing a local path will exfiltrate local content to external services, creating a meaningful risk of accidental disclosure of sensitive files.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal