Skillv1.0.0

ClawScan security

Dlazy One Click Generation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 2:35 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only wrapper for the dlazy CLI that uploads user-provided media and prompts to dlazy.com/oss.dlazy.com; its requirements and instructions are consistent with that purpose.
Guidance: This skill is a thin client that sends your prompts and any local media you provide to dLazy's cloud (api.dlazy.com / oss.dlazy.com). Before using/installing: 1) Review the GitHub repo and npm package (@dlazy/cli@1.0.8) to ensure you trust the code; prefer running with `npx` to avoid a global npm install. 2) Understand that the dLazy API key will be stored in ~/.dlazy/config.json (or can be provided per-run via DLAZY_API_KEY); only use a key you trust and rotate/revoke it if needed. 3) Do not pass sensitive local files or private data to the CLI unless you accept that it will be uploaded to the service. 4) Verify billing/credit implications (the skill mentions insufficient_balance error handling). The skill is internally consistent for its stated purpose, but exercise standard caution when granting any third-party tool access to your files or secrets.

Review Dimensions

Purpose & Capability: okName/description (short-video generation) match what the SKILL.md does: it calls the dLazy CLI which communicates with api.dlazy.com and uploads media to oss.dlazy.com. Declared required binaries (npm, npx) are relevant to installing/running the CLI.
Instruction Scope: noteInstructions direct the agent to run `dlazy one-click-generation` and explain that local media paths will be uploaded to the dLazy media storage; this is expected for a cloud-generation client but means any prompts or local files you supply will be transmitted to dLazy. The SKILL.md does not instruct reading unrelated system files or other credentials.
Install Mechanism: noteThe skill is instruction-only (no install spec in registry), but metadata suggests using a pinned npm package (@dlazy/cli@1.0.8) or npx. Using npx avoids a global install; installing an npm package executes third-party code from npm/GitHub — review the package source on GitHub before installing.
Credentials: noteThe registry lists no required env vars, but the SKILL.md documents using a DLAZY_API_KEY (or `dlazy auth set`) and a config file at ~/.dlazy/config.json. This is proportionate to the skill's function, but there is a minor inconsistency (the env var is referenced in instructions but not declared in requires.env). Be aware the API key is stored locally by the CLI and is used to call the remote service.
Persistence & Privilege: okThe skill is not marked always:true and is user-invocable. It does not request elevated or cross-skill configuration changes. Installing the CLI may create a per-user config (~/.dlazy/config.json) which is expected for an authenticated client.