ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dlazy Veo 3.1 Fast

v1.0.0

Fast response and generation of short videos with Google Veo 3.1 Fast.

0· 38·0 current·0 all-time
by@dlazyai
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description match a CLI that generates short videos. Requesting npm/npx is believable because the skill expects a published CLI, but the SKILL metadata includes an npm install line while the registry install spec is absent — an inconsistency. The skill also instructs the agent to request and save an API key even though no credential or primaryEnv is declared.
!
Instruction Scope
The SKILL.md explicitly tells the agent to run the 'dlazy veo-3.1-fast' CLI and to ask users for their API key and then run 'dlazy auth set <key>' to save it. Requesting the user to transmit secrets through the chat and to save them is sensitive behavior and is not reflected in the declared requirements. The instructions also reference reading local image files (expected) and posting users to dlazy.com links (expected for the service).
Install Mechanism
No formal install spec was registered, but the embedded metadata suggests 'npm install -g @dlazy/cli@1.0.5'. Installing a global npm package is moderate risk because it can run arbitrary code on the host; however, the source is a normal npm package name (not a shortener or IP). The absence of a registry install entry while instructing global install in metadata is an implementation inconsistency worth questioning.
!
Credentials
The skill requests no environment variables or primary credential in metadata but explicitly instructs the agent to obtain and store a dlazy API key from the user. That mismatch is disproportionate: a video-generation skill legitimately needs an API key, but the skill should declare that requirement. Asking users to paste secrets into chat and saving them via CLI is a privacy risk.
Persistence & Privilege
always:false and agent invocation are normal. However, the skill's recommended global npm install and 'dlazy auth set' imply persistent system changes (global binary and stored credentials/config). That persistence is expected for a CLI client but isn't declared in registry metadata and increases the blast radius if the CLI is malicious or compromised.
What to consider before installing
This skill appears to wrap a third‑party CLI (@dlazy/cli) to generate short videos and therefore will likely require a dlazy API key and a global npm install. Before installing or providing any secret: 1) Do not paste API keys into chat unless you explicitly accept the risk — prefer configuring them locally (e.g., set them in your CLI or environment yourself). 2) Verify the npm package (@dlazy/cli@1.0.5) on the npm registry and its source repository (check publisher, README, and recent versions). 3) Prefer not to install global packages from unknown publishers; consider running the CLI in a sandbox or container. 4) Ask the skill publisher why the registry metadata omits required credentials and why the install instruction appears only in SKILL metadata. If you cannot verify the package and the publisher, treat this skill as risky and avoid sharing secrets or performing global installs.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🤖 Clawdis
Binsnpm, npx
latestvk9777ahtne101qdfb5g503qrw985b3qd
38downloads
0stars
1versions
Updated 23h ago
v1.0.0
MIT-0
@dlazyai
latest
Download

dlazy-veo-3.1-fast

Fast response and generation of short videos with Google Veo 3.1 Fast.

Trigger Keywords

  • veo 3.1 fast
  • fast generate video
  • text to video, image to video

Usage

CRITICAL INSTRUCTION FOR AGENT: Run the dlazy veo-3.1-fast command to get results.

dlazy veo-3.1-fast -h

Options:
  --prompt <prompt>                    Prompt
  --images <images...>                 Images [image: url or local path] (max 3) [default: ] [only when generation_mode="components"]
  --generation_mode <generation_mode>  Generation Mode [default: frames] (choices: "frames", "components")
  --firstFrame <firstFrame>            First Frame [image: url or local path] [only when generation_mode="frames"]
  --lastFrame <lastFrame>              Last Frame [image: url or local path] [only when generation_mode="frames"]
  --size <size>                        Size [default: 16:9] (choices: "16:9", "9:16")
  --resolution <resolution>            Resolution [default: 720P] (choices: "720P", "1080P", "4K")
  --input <spec>                       JSON payload: inline string, @file, or - (stdin)
  --dry-run                            Print payload + cost estimate without calling API
  --no-wait                            Return generateId immediately for async tasks
  --timeout <seconds>                  Max seconds to wait for async completion (default: "1800")
  -h, --help                           display help for command

Output Format

{
  "ok": true,
  "kind": "urls",
  "data": {
    "urls": [
      "https://oss.dlazy.com/result.mp4"
    ]
  }
}

Command Examples

# basic call:
dlazy veo-3.1-fast --prompt 'prompt text' --image '/path/to/image.png'

# complex call:
dlazy veo-3.1-fast --prompt 'prompt text' --image 'https://oss.dlazy.com/image.png'

Error Handling

CodeError TypeExample Message
401Unauthorized (No API Key)ok: false, code: "unauthorized", message: "API key is missing or invalid"
501Missing required parametererror: required option '--prompt <prompt>' not specified
502Local file read errorError: Image file/Video file not found: C:\path\to\your\file
503API request failed (no balance)ok: false, code: "insufficient_balance"
503API request failed (server error)HTTP status code error (500 server crash)
504Asynchronous task execution failed=== Generation Failed === / {Specific error reason returned by backend, for example "Prompt violates safety policy"}

AGENT CRITICAL INSTRUCTION:

  1. If the execution result returns code: "insufficient_balance", you MUST explicitly inform the user that their credits are insufficient and guide them to recharge: https://dlazy.com/dashboard/organization/settings?tab=credits
  2. If the execution result returns code: "unauthorized" or indicates missing API key, you MUST inform the user to get their API key from https://dlazy.com/dashboard/organization/api-key and send it to you. Once they provide it, save it using dlazy auth set <key> and resume the task.

Tips

Visit https://dlazy.com for more information.

Comments

Loading comments...