ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dlazy Superres

v1.0.0

Enhances image resolution and clarity from a URL or local path, returning an improved image URL for low-res restoration and upscaling.

0· 36·0 current·0 all-time
by@dlazyai
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The described functionality (image super-resolution) matches the use of a 'dlazy superres' CLI. However, registry metadata shows no install or required binaries while the SKILL.md metadata explicitly requires npm/npx and an 'npm install -g @dlazy/cli@1.0.5' — this mismatch is unexpected and unexplained.
!
Instruction Scope
The runtime instructions direct the agent to execute the dlazy CLI and include explicit, mandatory agent behavior: ask the user for their API key, have the user 'send it to you', and then run 'dlazy auth set <key>' to save it. Instructing the agent to solicit and persist secrets is scope creep and increases risk of accidental exfiltration or misuse.
Install Mechanism
There is no formal install spec in the registry, but SKILL.md metadata prescribes a global npm install of @dlazy/cli@1.0.5. Installing an unreviewed npm package globally is moderate risk (writes to disk, executes third-party code). The install instruction being present only in SKILL.md (not in the registry install fields) is an inconsistency.
!
Credentials
The registry lists no required credentials or config paths, yet the SKILL.md error handling and agent instructions assume an API key exists and explicitly tell the agent to collect and persist it. Required secrets are not declared up front, and the agent is told to request them from the user — disproportionate and risky behavior for a simple image-upscaling skill.
!
Persistence & Privilege
The skill instructs the agent to save credentials using 'dlazy auth set <key>', which implies persisting a user API key on the agent/system. While the skill is not marked 'always:true', this explicit credential persistence increases the blast radius if the agent or environment is later compromised or if the agent mishandles secrets.
What to consider before installing
This skill likely calls a third‑party CLI (npm @dlazy/cli) to perform upscaling, which can be reasonable, but there are red flags: the manifest and the SKILL.md disagree about install requirements, and the instructions tell the agent to ask you to 'send' your API key and then save it. Do not paste your API key into chat. If you want to use this skill: (1) verify the npm package (@dlazy/cli) on the npm registry and inspect its source before installing; (2) prefer to install and run the CLI yourself locally rather than giving the key to the agent; (3) if required, set the API key locally via 'dlazy auth set <key>' on your machine rather than sharing it in conversation; (4) consider whether you trust global npm installs on the system running the agent. Because of the inconsistencies and the secret‑collection instruction, proceed only after confirming the package's provenance and avoiding sending secrets directly to the agent.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fvyr2513vt4kx1ykesv9tkn85b9rp
36downloads
0stars
1versions
Updated 23h ago
v1.0.0
MIT-0
@dlazyai
latest
Download

dlazy-superres

Image super-resolution tool: enhances image clarity and details, returning enhanced URL, suitable for low-res asset restoration and upscaling.

Trigger Keywords

  • superres

Usage

CRITICAL INSTRUCTION FOR AGENT: Execute dlazy superres to get the result.

dlazy superres -h

Options:
  --image <image>                      Image (URL) [image: url or local path]
  --input <spec>                       JSON payload: inline string, @file, or - (stdin)
  --dry-run                            Print payload + cost estimate without calling API
  --no-wait                            Return generateId immediately for async tasks
  --timeout <seconds>                  Max seconds to wait for async completion (default: "1800")
  -h, --help                           display help for command

Output Format

{
  "ok": true,
  "kind": "urls",
  "data": {
    "urls": [
      "https://oss.dlazy.com/result.mp4"
    ]
  }
}

Examples

dlazy superres --prompt 'prompt content'

Error Handling

CodeError TypeExample Message
401Unauthorized (No API Key)ok: false, code: "unauthorized", message: "API key is missing or invalid"
501Missing required parametererror: required option '--prompt <prompt>' not specified
502Local file read errorError: Image file/Video file not found: C:\path\to\your\file
503API request failed (no balance)ok: false, code: "insufficient_balance"
503API request failed (server error)HTTP status code error (500 server crash)
504Asynchronous task execution failed=== Generation Failed === / {Specific error reason returned by backend, for example "Prompt violates safety policy"}

AGENT CRITICAL INSTRUCTION:

  1. If the execution result returns code: "insufficient_balance", you MUST explicitly inform the user that their credits are insufficient and guide them to recharge: https://dlazy.com/dashboard/organization/settings?tab=credits
  2. If the execution result returns code: "unauthorized" or indicates missing API key, you MUST inform the user to get their API key from https://dlazy.com/dashboard/organization/api-key and send it to you. Once they provide it, save it using dlazy auth set <key> and resume the task.

Tips

Visit https://dlazy.com for more information.

Comments

Loading comments...