ClawHub

Dlazy Seedance 1.5 Pro

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud video-generation wrapper, but users should understand that selected local media and prompts are sent to dLazy and API credentials may be saved locally.

Install only if you are comfortable using dLazy’s hosted service. Treat prompts, selected image/video/audio files, generated output URLs, and the saved API key as sensitive; use npx or the DLAZY_API_KEY environment variable if you want less local persistence, and review the external @dlazy/cli package before running it globally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger keywords include broad everyday phrases such as '跳舞视频' and '动作视频', which can cause unintended invocation in unrelated conversations. In this skill's context, accidental activation matters because execution can upload local media to remote services and incur API usage, turning prompt ambiguity into privacy and billing risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill states that local image/video/audio paths are uploaded to `files.dlazy.com`, but it does not present this as a clear user-facing privacy warning or require affirmative consent at point of use. Because the skill handles local files and sends them to third-party infrastructure, insufficient disclosure increases the risk of accidental data exfiltration of sensitive media.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger keywords include broad phrases like 'dancing video' and 'action video', which can cause the skill to activate in contexts where the user did not intend to use this third-party cloud service. In this skill, unintended invocation is more concerning because prompts and local file paths may be uploaded to remote endpoints, creating a risk of accidental data disclosure and unwanted API usage/costs.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal