ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dlazy Vidu Audio Clone

v1.0.0

Clone voice and generate new text reading audio with one click using Vidu Audio Clone.

0· 31·0 current·0 all-time
by@dlazyai
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (Vidu audio clone) align with a CLI-based implementation; requiring npm/npx and suggesting npm install -g @dlazy/cli@1.0.5 is plausible. However the skill does not declare any required credentials or primaryEnv even though the CLI apparently requires an API key (401/unauthorized handling is described).
!
Instruction Scope
The SKILL.md explicitly instructs the agent to ask users to obtain an API key from dlazy.com and 'send it to you', then run `dlazy auth set <key>` to save it. That directs the agent to solicit and capture a secret from the user via chat and persist it via the CLI, which expands the agent's scope beyond simply running a command. The instructions also mandate user-facing guidance (links) and specific behavior on error codes, giving the agent normative steps to collect credentials.
Install Mechanism
Installation is via npm global install (@dlazy/cli@1.0.5) as shown in the SKILL.md metadata. npm installs from the public registry are common but carry moderate risk because packages can execute arbitrary code during install. There is no install spec in the registry metadata, only in SKILL.md, which is an inconsistency to note.
!
Credentials
The skill declares no required environment variables or primary credential, yet the runtime instructions assume and instruct the agent to obtain and store a dlazy API key. This mismatch means secrets handling is required but not declared. Asking users to paste API keys into chat and instructing the agent to save them increases the risk of accidental exposure.
Persistence & Privilege
The skill does not request always:true and does not declare system config path access. Running `dlazy auth set` would persist a credential through the CLI, which is a normal behavior for a CLI-based integration, but it is not excessive on its face.
What to consider before installing
This skill appears to rely on an external npm CLI (@dlazy/cli) and its API key, but the package/author is unknown and the skill's metadata does not declare the credential it expects. Before installing or using it: 1) verify the @dlazy/cli package and its publisher on the npm registry and inspect its source; 2) do not paste sensitive API keys into chat—prefer to set them locally (e.g., run `dlazy auth set <key>` yourself in a controlled environment) or use a platform secret manager; 3) if you must test, run the npm install and CLI in an isolated environment (VM/container) first; 4) ask the skill author/publisher for a homepage, source repo, and justification for how credentials are handled. These steps reduce the risk of accidental credential exposure or installing a malicious npm package.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🤖 Clawdis
Binsnpm, npx
latestvk97bfgwnj0sj97ftf7hcvte4fs85av81
31downloads
0stars
1versions
Updated 22h ago
v1.0.0
MIT-0
@dlazyai
latest
Download

dlazy-vidu-audio-clone

Clone voice and generate new text reading audio with one click using Vidu Audio Clone.

Trigger Keywords

  • vidu audio clone
  • clone voice
  • custom speech

Usage

CRITICAL INSTRUCTION FOR AGENT: Run the dlazy vidu-audio-clone command to get results.

dlazy vidu-audio-clone -h

Options:
  --audio_url <audio_url>              Audio URL [audio: url or local path]
  --prompt <prompt>                    Prompt
  --input <spec>                       JSON payload: inline string, @file, or - (stdin)
  --dry-run                            Print payload + cost estimate without calling API
  --no-wait                            Return generateId immediately for async tasks
  --timeout <seconds>                  Max seconds to wait for async completion (default: "1800")
  -h, --help                           display help for command

Output Format

{
  "ok": true,
  "kind": "urls",
  "data": {
    "urls": [
      "https://oss.dlazy.com/result.mp4"
    ]
  }
}

Command Examples

# basic call:
dlazy vidu-audio-clone --prompt 'prompt text'

# complex call:
dlazy vidu-audio-clone --prompt 'prompt text'

Error Handling

CodeError TypeExample Message
401Unauthorized (No API Key)ok: false, code: "unauthorized", message: "API key is missing or invalid"
501Missing required parametererror: required option '--prompt <prompt>' not specified
502Local file read errorError: Image file/Video file not found: C:\path\to\your\file
503API request failed (no balance)ok: false, code: "insufficient_balance"
503API request failed (server error)HTTP status code error (500 server crash)
504Asynchronous task execution failed=== Generation Failed === / {Specific error reason returned by backend, for example "Prompt violates safety policy"}

AGENT CRITICAL INSTRUCTION:

  1. If the execution result returns code: "insufficient_balance", you MUST explicitly inform the user that their credits are insufficient and guide them to recharge: https://dlazy.com/dashboard/organization/settings?tab=credits
  2. If the execution result returns code: "unauthorized" or indicates missing API key, you MUST inform the user to get their API key from https://dlazy.com/dashboard/organization/api-key and send it to you. Once they provide it, save it using dlazy auth set <key> and resume the task.

Tips

Visit https://dlazy.com for more information.

Comments

Loading comments...