ClawHub

Dlazy Recraft V3 Svg

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed wrapper for a paid/cloud dLazy SVG-generation CLI, with no artifact-backed evidence of hidden or destructive behavior.

Install only if you intend to use dLazy/Recraft for SVG generation and are comfortable sending prompts and any explicitly referenced files to dLazy. Prefer npx for one-off use if you do not want a persistent global CLI, and rotate or revoke the API key from the dLazy dashboard if needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases include very broad terms like '文生图' and generic image-generation requests, which can cause this skill to activate for many ordinary creative prompts without clear user intent to use dlazy or this specific Recraft SVG tool. Over-broad activation increases the chance of unintended command execution, data transfer to the vendor API, and surprise authentication or billing flows.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The documentation instructs the agent to give specific Chinese-language responses and prescribed follow-up actions when certain API errors occur, regardless of the user's language preference. This can override normal agent behavior and create prompt-level steering inside the skill, which is risky because skill-authored instructions may manipulate user communication or agent decision-making without user consent.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger keyword "text to image" is much broader than the skill’s actual scope of generating SVGs via a specific Recraft v3 command. Broad matching can cause the agent to invoke this skill for unrelated image-generation requests, leading to unintended command execution, unnecessary API calls, and possible transmission of prompts or file references to the external dLazy service.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal