ClawHub

Dlazy Start

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only quickstart for using the dLazy CLI, with expected install, authentication, cloud-tool, and optional local-runtime guidance.

Install only if you intend to use the dLazy CLI and its cloud/local media tools. Prefer device-code login over pasting API keys into commands, treat ~/.dlazy/config.json as sensitive, review tool schemas and cost estimates before paid calls, and avoid using browser cookies or sending private content to cloud-backed tools unless that is acceptable for your environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill tells users to set API keys via CLI arguments or environment variables but does not warn that these methods can expose secrets through shell history, process listings, logs, or inherited subprocess environments. In an AI-agent context, this is more dangerous because orchestrators often echo commands, persist transcripts, and run tools in shared or observable environments.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill promotes use of many cloud tools and URL-based outputs without clearly disclosing that prompts, media, and generated artifacts may be sent to third-party services. That omission can lead agents or users to transmit sensitive data off-host or outside approved boundaries without informed consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal