Back to skill
Skillv1.0.4
ClawScan security
Dlazy Seedance 2.0 Fast · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 27, 2026, 8:03 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is largely coherent with a CLI-based video-generation tool, but there are provenance/version inconsistencies and an npm install requirement that you should verify before installing or providing API keys.
- Guidance
- This skill appears to be a thin CLI client for a hosted dLazy video API, which is coherent with its description — but take these precautions before installing or using it: 1) Verify the npm package and GitHub repository (review source code) — the SKILL contains inconsistent version/provenance information (1.0.2 / 1.0.4 / 1.0.6) that should be resolved. 2) Prefer using npx for one-off runs (npx @dlazy/cli@1.0.6 ...) instead of a global npm install to reduce persistence. 3) Be aware the CLI will upload any local media paths you provide to oss.dlazy.com and will store your API key at ~/.dlazy/config.json (or read DLAZY_API_KEY if supplied) — only provide files and keys you trust. 4) Confirm the service domains (api.dlazy.com, oss.dlazy.com) and the publisher identity before giving your API key or installing the package. 5) If you need higher assurance, ask the publisher for a signed release or audit the package code on GitHub before installing.
Review Dimensions
- Purpose & Capability
- noteThe name/description describe a CLI client for a hosted video-generation API; the declared requirements (npm, npx) and the CLI workflow (calling api.dlazy.com and uploading media to oss.dlazy.com) match that purpose. However, the SKILL files contain inconsistent version/provenance metadata (skill registry shows version 1.0.4, SKILL.md header is 1.0.2, metadata.install pins @dlazy/cli@1.0.6) and the description references 'ByteDance's Seedance' while the package/URLs reference dlazy/dlazyai, which could be sloppy documentation or misattribution.
- Instruction Scope
- okRuntime instructions are narrowly scoped: run the dlazy CLI, pass prompts, and (if you give local file paths) the CLI uploads media to the service. The SKILL explicitly documents where API requests and uploads go (api.dlazy.com, oss.dlazy.com) and the CLI stores an API key at ~/.dlazy/config.json. The instructions do not ask the agent to read unrelated system files or exfiltrate arbitrary data beyond media you provide.
- Install Mechanism
- noteThis is an instruction-only skill (no install spec enforced), but the embedded metadata recommends installing a pinned npm package (@dlazy/cli@1.0.6) or using npx. Installing an npm CLI runs third-party code on your machine — a normal pattern for this use case but a moderate-risk install mechanism. The package is on the public npm registry (npmjs.com) and the SKILL points to a GitHub repo; you should review that source before installing. The registry/in-document version mismatches are worth verifying.
- Credentials
- okNo required environment variables are declared by the registry; the SKILL.md documents an optional DLAZY_API_KEY or using 'dlazy auth set' which stores credentials in ~/.dlazy/config.json. Requesting a single service API key is proportionate to a hosted-API CLI client. No unrelated credentials or config paths are requested.
- Persistence & Privilege
- okThe skill does not request always:true and is user-invocable only. The only persistence behavior described is the CLI storing an API key in the user's config (~/.dlazy/config.json), which is expected for a CLI that needs an API key.