ClawHub

Dlazy Plan

Security checks across malware telemetry and agentic risk

Overview

This dLazy planning skill is disclosed and not malicious, but it needs review because a very generic trigger can send planning prompts or file references to a third-party CLI/API unintentionally.

Review before installing. Use it only if you intentionally want dLazy plan generation, are comfortable storing or passing a dLazy API key, and understand prompts or referenced media may be sent to dLazy services. Prefer explicit user confirmation before running `dlazy plan`, and avoid installing it with a generic `plan` trigger in environments where ordinary planning requests are common.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger keyword is simply `plan`, which is highly generic and likely to collide with ordinary user language or other skills that expose planning-related commands. This can cause accidental invocation of this skill in unrelated contexts, leading to unintended execution paths, unnecessary API calls, or disclosure of user prompts to the external dLazy service.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger keyword is the single common word "plan", which is broad enough to match many unrelated user requests and cause accidental invocation of this skill. Because the skill can drive an external CLI, prompt a hosted API, and may upload referenced local media files to remote endpoints, unintended activation can send user content or file references to a third-party service without the user clearly intending to use dLazy.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal