Skillv1.0.5

ClawScan security

Dlazy Seedance 1.5 Pro · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 2:35 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to be a thin CLI client for a legitimate media-generation service, but there are small yet important inconsistencies and privacy-relevant behaviors you should understand before installing or running it.
Guidance: This skill is a front-end for a cloud media API and behaves as you would expect for that use case, but take these precautions before installing or using it: - Expect to need a dLazy API key. The registry metadata omitted this requirement; SKILL.md requires it. Obtain the key from dlazy.com and consider creating a key scoped to a separate/test org or with limited permissions. - Installing the CLI via npm will run third-party code on your machine. Inspect the GitHub repo and the exact npm package version (@dlazy/cli@1.0.8) before global install. Prefer npx for one-off use to avoid persisting a global binary. - The CLI will upload any local images/videos you pass to oss.dlazy.com. Do not upload sensitive files (personal data, credentials, private keys, proprietary assets) that you would not want hosted externally. - The CLI stores your API key at ~/.dlazy/config.json (or %USERPROFILE%\.dlazy\config.json on Windows). Verify file permissions and rotate/revoke the key if you suspect compromise. - The registry's omission of required env vars is an incoherence. Ask the publisher/maintainer (or review the package source) to confirm exactly what credentials and scopes are needed before granting access. If you are comfortable after reviewing the source and taking the precautions above, prefer using npx for ephemeral invocation and avoid uploading private data to the service.

Review Dimensions

Purpose & Capability: noteName/description and required binaries (npm, npx) align with a CLI client for a cloud service. However, the registry metadata lists no required credentials while the SKILL.md clearly says a dLazy API key (or DLAZY_API_KEY env var) is required — a mismatch between what the registry declares and what the skill actually needs.
Instruction Scope: noteSKILL.md instructs the agent to run the dlazy CLI and to upload local image/video/audio files to the service's media storage (oss.dlazy.com). That upload behavior is expected for a media-generation service, but it means local files (possibly sensitive) will be transmitted to a third party; the instructions do not add any unrelated filesystem or credential access beyond the CLI flow.
Install Mechanism: noteNo platform-level install spec was provided, but SKILL.md and metadata recommend installing a pinned npm package (@dlazy/cli@1.0.8) or using npx. Installing from npm is a common approach and less risky than an arbitrary URL, but npm packages are still code from the registry — review the GitHub/npm source before global installation. Using npx avoids persisting a global binary.
Credentials: concernThe skill requires a dLazy API key (and optionally DLAZY_API_KEY) according to SKILL.md, but the registry lists no required environment variables/primary credential — this omission is inconsistent and could mislead users. The skill stores keys at ~/.dlazy/config.json; that storage is expected but grants the CLI access to your organization-scoped API key and to upload local media to the service.
Persistence & Privilege: okThe skill does not request always:true or other elevated platform privileges. It is user-invocable and allows normal autonomous invocation. The skill may suggest installing a global CLI, but that is optional (npx alternative exists).