Dlazy Kling V3 Omni

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed dLazy cloud video-generation wrapper that requires an API key and uploads only prompts or media the user provides.

Install only if you are comfortable running the latest @dlazy/cli, storing a dLazy API key locally, and sending prompts plus any referenced media files to dLazy's hosted service. Use DLAZY_API_KEY for per-run credentials if you want less local persistence, avoid passing private media unless intended, and rotate or revoke the key from dLazy if needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger keywords include broad phrases such as general video-generation requests, which can cause the skill to activate unintentionally for unrelated user intents. In an agent setting, overbroad activation can route prompts and local file references to an external SaaS unexpectedly, increasing the chance of unintended data transmission or action execution.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal