Back to skill
Skillv1.0.5
ClawScan security
Dlazy Kling Image O1 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 2:35 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally coherent: it is an instruction-only wrapper for the dLazy CLI, asks for no unrelated credentials, and its install/use patterns match the declared purpose.
- Guidance
- This skill is a thin wrapper around the dLazy CLI. Before installing or using it: (1) prefer running with `npx @dlazy/cli@1.0.8` to avoid a global npm install; (2) review the npm package and the GitHub repo (https://github.com/dlazyai/cli) yourself to confirm behavior; (3) be aware any local images/files you pass will be uploaded to dLazy (oss.dlazy.com); (4) the API key is stored in ~/.dlazy/config.json by the CLI—keep it private and rotate/revoke it if needed; (5) avoid passing sensitive files to the CLI and verify you trust api.dlazy.com/oss.dlazy.com before uploading production data.
Review Dimensions
- Purpose & Capability
- okThe name/description match the instructions: the skill tells the agent to run the dLazy CLI and the metadata declares npm/npx and a pinned npm package. Required binaries (npm, npx) and the stated config locations are consistent with installing/using a CLI.
- Instruction Scope
- noteSKILL.md instructs the agent to run `dlazy kling-image-o1` and to upload any local image/video files to dLazy's storage. This is within the expected scope for a cloud image-generation CLI, but note that providing local file paths will cause those files to be uploaded to the vendor's service and the CLI stores the API key in ~/.dlazy/config.json (or can use DLAZY_API_KEY).
- Install Mechanism
- okNo automatic install is included in the package. The metadata recommends a pinned npm package (@dlazy/cli@1.0.8) or using npx. Installing from npm is expected for a CLI; no arbitrary download URLs or extract operations are present in the skill itself.
- Credentials
- okThe skill declares no required environment variables; it documents an optional DLAZY_API_KEY (reasonable for an API client). The only credential-like artifact described is the dLazy API key (stored in the user config), which is appropriate for the stated function.
- Persistence & Privilege
- okThe skill is instruction-only, not always-enabled, and does not request system-wide privileges or modify other skills. The CLI will store a user-scoped config file, which is normal behavior for a CLI tool.