Skillv1.0.5

ClawScan security

Dlazy Seedream 5.0 Lite · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 2:35 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to be a thin wrapper around a legitimate dLazy CLI for image generation, but there are small inconsistencies (missing API-key declaration in registry metadata and a version mismatch) and an install step that would install a third‑party npm CLI — review before installing or granting access.
Guidance: This skill is a CLI client for dLazy's image API and generally coherent with that purpose, but take these precautions before installing or using it: - Verify the npm package (@dlazy/cli@1.0.8) and GitHub repo (github.com/dlazyai/cli) yourself before running npm install -g; prefer npx for on-demand use to avoid a global install. - Provide the dLazy API key only if you trust the service; the CLI will store it at ~/.dlazy/config.json (check file permissions). The registry metadata failing to declare the API key is an omission — expect to need credentials. - Confirm the package authenticity on npm/github and check changelogs; I noticed the SKILL.md header claims version 1.0.2 while the registry shows 1.0.5, which may indicate outdated documentation or packaging mismatch. - Be aware that any local images you pass will be uploaded to oss.dlazy.com; don't pass sensitive or private files you don't want uploaded. If you want greater assurance, ask the skill author to (1) declare the required DLAZY_API_KEY in registry metadata, (2) fix the documented version mismatch, and (3) provide a link to a release tarball or commit hash to audit the exact CLI code that will be installed.

Review Dimensions

Purpose & Capability: okName/description match the instructions: this is a client for dLazy Seedream 5.0 Lite and the listed dependencies (npm/npx and the @dlazy/cli package) are consistent with that purpose.
Instruction Scope: okRuntime instructions are limited to invoking the dLazy CLI, uploading any local media paths to the service, and handling API key setup via the CLI or DLAZY_API_KEY. There are no instructions to read unrelated system files or exfiltrate data beyond the expected uploads to oss.dlazy.com.
Install Mechanism: noteThe skill is instruction-only (no install spec in the registry), but SKILL.md metadata recommends installing a pinned npm package (@dlazy/cli@1.0.8) or using npx. Installing a global npm CLI is a moderate-risk action — verify the npm package and GitHub repo before running npm install -g. The package is pinned and references GitHub and npm, which is better than an opaque download.
Credentials: concernThe SKILL.md clearly requires a dLazy API key (stored in ~/.dlazy/config.json or via DLAZY_API_KEY), but the registry metadata lists no required environment variables or primary credential. The omission is an inconsistency: the skill will need the API key for normal operation but that credential is not declared in the registry entry.
Persistence & Privilege: okThe skill does not request always:true or other elevated platform privileges. The only persistent footprint mentioned is the CLI's user config (~/.dlazy/config.json) which stores the API key if the user runs 'dlazy auth set'.