ClawHub

Dlazy Search Video

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed dLazy CLI wrapper for stock video search, with documentation inconsistencies but no evidence of hidden or malicious behavior.

Install only if you are comfortable using the dLazy CLI, storing or supplying a dLazy API key, and sending search requests through dLazy rather than directly to Pixabay. Prefer npx if you do not want a persistent global binary, review the pinned npm package/source if needed, and avoid passing private local files unless you intend them to be uploaded.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The skill description claims it searches the Pixabay video API, but the rest of the document shows it actually routes requests through the dLazy CLI and dLazy-hosted APIs. This provenance mismatch can mislead users about where their prompts, files, and credentials are sent, undermining informed consent and security review.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document asserts the skill does not exceed file system or network access, yet it instructs installation and execution of an external CLI that writes API keys to local config and may upload local files to remote storage. This is dangerous because it minimizes real side effects and may cause agents or users to approve execution without understanding credential storage and data exfiltration risks.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The skill advertises itself as a Pixabay video search tool, but later states that user prompts and parameters are sent to dLazy-hosted endpoints. This mismatch can mislead users and agents about where data is processed and what third-party service is actually used, undermining informed consent and potentially causing unintended data disclosure to a different SaaS provider than expected.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal