ClawHub

Dlazy Videoretalk

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud lip-sync skill, but users should understand it uploads sensitive video, audio, and optional face images to dLazy and its examples contain documentation mistakes.

Install only if you are comfortable sending the selected video, audio, optional face image, prompts, and parameters to dLazy's hosted service. Prefer `npx` or review the `@dlazy/cli` package/source before a global install, avoid using sensitive or non-consensual media, and rotate/revoke the dLazy API key if it is exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The documented output format contradicts the skill's stated behavior: a lip-sync video tool is shown returning an image/png result URL. This can mislead downstream agents or integrations into treating the result as a harmless still image, potentially causing incorrect validation, unsafe automation logic, or failed handling of generated media.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The example invocation and error table refer to an undeclared --prompt option instead of the documented video/audio parameters. This inconsistency can cause agents to supply the wrong inputs, mishandle errors, or invoke the CLI in unintended ways, undermining reliable and safe execution.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This skill uploads local video, audio, and image inputs to remote dLazy services, but the examples do not repeat that privacy-relevant warning at the point of use. Users may provide sensitive local media under the mistaken assumption that processing is local, leading to unintended disclosure of biometric, voice, or other personal data to third-party infrastructure.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal