ClawHub

Dlazy Video Scenes

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed dLazy CLI wrapper for video scene processing, with a documentation inconsistency users should notice before sending sensitive videos.

Install only if you are comfortable sending selected videos, prompts, and parameters to dLazy's hosted service and storing a dLazy API key locally. Because the documentation conflicts about whether the service only splits scenes or also performs video understanding, avoid using it for highly sensitive media until the publisher clarifies the exact processing pipeline.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill description materially misrepresents what the tool does: the front matter claims scene-level video understanding and structured analysis, while the body says it only splits scenes and returns clip URLs. This can cause an agent or user to trust the tool with tasks it cannot perform, leading to unsafe decision-making, privacy misunderstandings about uploaded media, or incorrect downstream automation based on nonexistent analysis.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
Contradictory documentation about whether the tool performs video content understanding is a security-relevant integrity issue because agents may route sensitive interpretation tasks to this skill under false assumptions. In this context, the skill uploads local media to third-party endpoints, so ambiguity about semantic processing and returned analysis increases the risk of misuse, overcollection, and incorrect trust in generated results.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal