ClawHub

Dlazy Search Image

Security checks across malware telemetry and agentic risk

Overview

The skill is not clearly malicious, but it asks users to install and authenticate a third-party dLazy CLI while describing the core service as Pixabay image search.

Review this before installing. Use it only if you are comfortable installing the dLazy CLI, sending search parameters through dLazy services, and storing or providing a dLazy API key. Prefer an explicitly pinned CLI version and clarify whether dLazy is merely proxying Pixabay or independently processing requests before relying on it for sensitive workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The skill description says it uses the Pixabay image API, but the body instructs users to install and authenticate a separate dLazy CLI that sends prompts and file paths to dLazy-controlled endpoints. This mismatch can mislead users about the actual processor of their data, trust boundaries, billing, and where credentials or media are sent, which is a supply-chain and data-disclosure risk in a tool-installation context.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The skill description says it queries the Pixabay API, but the body instructs users to authenticate to dLazy and send prompts and file paths to dLazy-controlled endpoints. This mismatch can mislead users about where their data is going, what service is being trusted, and what third party receives credentials or uploaded files, which is a real security and privacy concern in a tool-installation context.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal