ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dlazy Video Scenes

v1.0.0

Detects and splits videos into scene clips using ffmpeg, providing URLs for each clip without analyzing video content.

0· 29·0 current·0 all-time
by@dlazyai
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose (scene-splitting via ffmpeg) is plausible for a 'video-scenes' skill, but the SKILL.md also references scene-level video understanding and a dlazy CLI. Top-level registry fields list no binaries, env vars, or install steps, while the SKILL.md metadata demands npm/npx and an npm install of @dlazy/cli@1.0.5 — that mismatch is unexpected and unexplained.
!
Instruction Scope
The runtime instructions tell the agent to run the external 'dlazy' CLI and include explicit agent behavior to request an API key from the user and save it via `dlazy auth set <key>`. That directs the agent to solicit and persist a secret and to run arbitrary CLI commands — scope creep beyond simply invoking ffmpeg or splitting local videos. The SKILL.md also contains contradictory statements (says 'without video content understanding' in some places while elsewhere mentioning scene-level understanding).
Install Mechanism
There is no top-level install spec in the registry, but SKILL.md metadata recommends `npm install -g @dlazy/cli@1.0.5` and requires npm/npx. Installing a third-party npm CLI is a moderate-risk action (public registry, traceable) but the install requirement is not declared at the skill metadata level — an inconsistency to be resolved before trusting automatic install.
!
Credentials
The instructions explicitly direct the agent to obtain and store a dlazy API key from the user, yet the skill declares no required environment variables or primary credential. Asking the assistant to solicit secrets from users and store them is disproportionate without a declared auth model and increases risk of accidental secret exposure.
Persistence & Privilege
The skill does not set always:true and doesn't claim elevated platform privileges; however it instructs the agent to persist credentials via `dlazy auth set <key>` (which would write auth to disk or CLI config). Persisting its own token is plausible for a CLI-based skill, but because this behavior is not declared in the registry metadata and involves writing secrets, it warrants caution.
What to consider before installing
This skill asks the agent to install and run a third-party npm CLI and to request and save a dlazy API key, but the registry metadata doesn't declare those requirements. Before installing or using it: (1) confirm you trust the publisher and dlazy.com; (2) inspect the @dlazy/cli package source (or avoid global npm installs) to ensure it doesn't exfiltrate data; (3) do NOT paste API keys into chat — instead set credentials locally (e.g., run `dlazy auth set <key>` yourself in a secure terminal) or provide credentials via a secure environment variable, and verify how/where the CLI stores tokens; (4) prefer skills that declare required binaries and auth upfront. If you proceed, avoid giving secrets directly to the assistant and verify the npm package first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b82n5xqkh09ewg2mdpm0s7985ayza
29downloads
0stars
1versions
Updated 22h ago
v1.0.0
MIT-0
@dlazyai
latest
Download

dlazy-video-scenes

Scene split tool: uses ffmpeg to detect and split a video into scene clips, returning only the clip URLs without video content understanding.

Trigger Keywords

  • video-scenes

Usage

CRITICAL INSTRUCTION FOR AGENT: Execute dlazy video-scenes to get the result.

dlazy video-scenes -h

Options:
  --video <video>                      Video (URL) [video: url or local path]
  --durationSeconds <durationSeconds>  Duration (s)
  --input <spec>                       JSON payload: inline string, @file, or - (stdin)
  --dry-run                            Print payload + cost estimate without calling API
  --no-wait                            Return generateId immediately for async tasks
  --timeout <seconds>                  Max seconds to wait for async completion (default: "1800")
  -h, --help                           display help for command

Output Format

{
  "ok": true,
  "kind": "text",
  "data": {
    "text": "..."
  }
}

Examples

dlazy video-scenes --prompt 'prompt content'

Error Handling

CodeError TypeExample Message
401Unauthorized (No API Key)ok: false, code: "unauthorized", message: "API key is missing or invalid"
501Missing required parametererror: required option '--prompt <prompt>' not specified
502Local file read errorError: Image file/Video file not found: C:\path\to\your\file
503API request failed (no balance)ok: false, code: "insufficient_balance"
503API request failed (server error)HTTP status code error (500 server crash)
504Asynchronous task execution failed=== Generation Failed === / {Specific error reason returned by backend, for example "Prompt violates safety policy"}

AGENT CRITICAL INSTRUCTION:

  1. If the execution result returns code: "insufficient_balance", you MUST explicitly inform the user that their credits are insufficient and guide them to recharge: https://dlazy.com/dashboard/organization/settings?tab=credits
  2. If the execution result returns code: "unauthorized" or indicates missing API key, you MUST inform the user to get their API key from https://dlazy.com/dashboard/organization/api-key and send it to you. Once they provide it, save it using dlazy auth set <key> and resume the task.

Tips

Visit https://dlazy.com for more information.

Comments

Loading comments...