ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dlazy Veo 3.1

v1.0.0

Generate high-quality cinematic effects videos with Google Veo 3.1.

0· 37·0 current·0 all-time
by@dlazyai
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill description advertises "Google Veo 3.1", but the runtime instructions and examples exclusively reference a third‑party CLI (@dlazy/cli), dlazy.com, and oss.dlazy.com. That mismatch (Google branding vs dlazy backend) is potentially misleading. The registry showed no formal install spec, yet the SKILL.md frontmatter contains an npm global install command for @dlazy/cli@1.0.5 — another inconsistency between declared metadata and the instructions.
!
Instruction Scope
The SKILL.md instructs the agent to run the dlazy CLI and (critically) to request the user's API key, accept it in chat, run `dlazy auth set <key>` to save it, and then continue. Asking the agent to solicit and persistently store a user's API key (via chat input) expands scope beyond just running a CLI and creates a clear sensitive-data collection vector. Otherwise, file/path usage for images is consistent with a video-generation tool.
!
Install Mechanism
Although the registry lists no install spec, the skill frontmatter recommends `npm install -g @dlazy/cli@1.0.5`. A global npm install will write code to disk and can execute arbitrary install scripts from the package — this is higher risk than an instruction-only skill. No provenance or maintainer verification info is provided for the npm package.
!
Credentials
The registry declares no required environment variables or credentials, but the instructions explicitly require an API key (and direct the agent to ask the user to paste it). This is a mismatch: a credential is needed in practice but not declared. The skill also guides users to dlazy.com URLs for API keys and payments, indicating credentials are for a dlazy service (not Google).
Persistence & Privilege
always is false and the skill does not request elevated system privileges. However, the instructions tell the agent to run `dlazy auth set <key>`, which will likely cause the CLI to persist credentials on the host (e.g., in a config file). That persistence is limited to the CLI's config but is not declared in metadata and could be unexpected for users.
What to consider before installing
This skill is suspicious because its description (mentions Google Veo) doesn't match what it actually uses (the dlazy CLI and dlazy.com). It asks you to paste an API key into the chat and to run a global npm install for @dlazy/cli — both of which carry privacy and code-execution risks. Before installing or using it: 1) don't paste sensitive keys into chat; prefer using a secure environment variable or a vetted integration; 2) verify the npm package @dlazy/cli and its publisher on the npm registry and inspect its code/installation scripts before running a global install; 3) confirm whether dlazy is an authorized frontend for the Google model (the skill's Google claim may be marketing); 4) if you must try it, run the npm install and any CLI commands inside an isolated VM or container; and 5) ask the publisher for an explicit install spec and privacy/security details (where keys are stored, retention, and whether the service transmits your files externally).

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🤖 Clawdis
Binsnpm, npx
latestvk973fdawpn511k5zdwqcqyrmx185bkkx
37downloads
0stars
1versions
Updated 23h ago
v1.0.0
MIT-0
@dlazyai
latest
Download

dlazy-veo-3.1

Generate high-quality cinematic effects videos with Google Veo 3.1.

Trigger Keywords

  • veo 3.1
  • generate video
  • text to video, image to video

Usage

CRITICAL INSTRUCTION FOR AGENT: Run the dlazy veo-3.1 command to get results.

dlazy veo-3.1 -h

Options:
  --prompt <prompt>                    Prompt
  --images <images...>                 Images [image: url or local path] (max 3) [default: ] [only when generation_mode="components"]
  --generation_mode <generation_mode>  Generation Mode [default: frames] (choices: "frames", "components")
  --firstFrame <firstFrame>            First Frame [image: url or local path] [only when generation_mode="frames"]
  --lastFrame <lastFrame>              Last Frame [image: url or local path] [only when generation_mode="frames"]
  --size <size>                        Size [default: 16:9] (choices: "16:9", "9:16")
  --resolution <resolution>            Resolution [default: 720P] (choices: "720P", "1080P", "4K")
  --input <spec>                       JSON payload: inline string, @file, or - (stdin)
  --dry-run                            Print payload + cost estimate without calling API
  --no-wait                            Return generateId immediately for async tasks
  --timeout <seconds>                  Max seconds to wait for async completion (default: "1800")
  -h, --help                           display help for command

Output Format

{
  "ok": true,
  "kind": "urls",
  "data": {
    "urls": [
      "https://oss.dlazy.com/result.mp4"
    ]
  }
}

Command Examples

# basic call:
dlazy veo-3.1 --prompt 'prompt text' --image '/path/to/image.png'

# complex call:
dlazy veo-3.1 --prompt 'prompt text' --image 'https://oss.dlazy.com/image.png'

Error Handling

CodeError TypeExample Message
401Unauthorized (No API Key)ok: false, code: "unauthorized", message: "API key is missing or invalid"
501Missing required parametererror: required option '--prompt <prompt>' not specified
502Local file read errorError: Image file/Video file not found: C:\path\to\your\file
503API request failed (no balance)ok: false, code: "insufficient_balance"
503API request failed (server error)HTTP status code error (500 server crash)
504Asynchronous task execution failed=== Generation Failed === / {Specific error reason returned by backend, for example "Prompt violates safety policy"}

AGENT CRITICAL INSTRUCTION:

  1. If the execution result returns code: "insufficient_balance", you MUST explicitly inform the user that their credits are insufficient and guide them to recharge: https://dlazy.com/dashboard/organization/settings?tab=credits
  2. If the execution result returns code: "unauthorized" or indicates missing API key, you MUST inform the user to get their API key from https://dlazy.com/dashboard/organization/api-key and send it to you. Once they provide it, save it using dlazy auth set <key> and resume the task.

Tips

Visit https://dlazy.com for more information.

Comments

Loading comments...