Dlazy Video Image Replicate

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed wrapper for dLazy’s hosted image/video replication service, with expected API-key use and file uploads for that purpose.

Install only if you are comfortable sending prompts and any files you attach to dLazy’s hosted service. Use the pinned npx command if you do not want a persistent global CLI, rotate or revoke the API key if needed, and be mindful that broad requests containing “replicate” could invoke this skill in routing systems.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger keywords include broad, common terms such as 'replicate' and '同款', which can match ordinary user requests outside the intended skill scope. In an agent-routing context, this can cause accidental invocation of this skill, leading users to unknowingly send prompts and attached files to the external dLazy service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal