Dlazy Merge

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed dLazy media-merging wrapper; the main caution is its broad “merge” trigger plus expected cloud upload/API-key use.

Install only if you intend to use dLazy for media merging and are comfortable sending referenced audio/video files to dLazy-hosted services. Confirm commands before they run, prefer `npx` or `DLAZY_API_KEY` if you want less local persistence, and avoid using the skill for sensitive media unless dLazy’s terms fit your needs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: Using a single broad trigger keyword like 'merge' increases the chance the skill is invoked during ordinary conversation or unrelated tasks, which can cause unintended command execution paths in an agent environment. In this skill, accidental invocation is more concerning because it can lead to external API calls and possible upload of local media paths to a third-party service.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger keyword is simply "merge", which is extremely generic and likely to appear in many unrelated user requests. This can cause unintended activation of the skill, leading an agent to invoke an external SaaS CLI, potentially upload local media paths, and prompt for authentication when the user did not intend to use dLazy.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal