Dlazy Recraft V4 Pro

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed dLazy image-generation skill, with a real but limited supply-chain concern from using @latest for its CLI install.

Install only if you trust dLazy and the current `@dlazy/cli` release with your prompts, API key use, and any files you pass to the command. Prefer a pinned CLI version where possible, review the linked source/package before global install, and rotate or revoke the dLazy API key if it is exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Low

Confidence: 95% confidence
Finding: The documentation states the package is pinned to version 1.0.9, but both the manifest and examples use @latest. Installing a CLI at @latest makes the executed code mutable over time, defeating reproducibility and supply-chain review; a future compromised or breaking release could be pulled automatically by users or agents.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal