ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dlazy Viduq2 I2v

v1.0.0

Convert static images into dynamic videos using Vidu Q2 image-to-video model.

0· 33·0 current·0 all-time
by@dlazyai
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose (convert images to video) matches the use of a CLI named 'dlazy viduq2-i2v'. However the registry metadata lists no required credentials while the SKILL.md clearly expects an API key (401/"unauthorized" handling) and includes an install command in its metadata string ('npm install -g @dlazy/cli@1.0.5') that is not reflected in the skill's install spec — an inconsistency.
!
Instruction Scope
The instructions explicitly tell the agent to ask the user for their API key, instruct the user to send it to the agent, and then run 'dlazy auth set <key>' to save it. That directs the agent to collect and persist a secret from the user. While a service CLI legitimately needs an API key, the skill should have declared that requirement up-front; instructing the agent to prompt the user for secrets inside the chat expands the agent's scope and risk.
Install Mechanism
This is an instruction-only skill (no install spec in the registry), but the SKILL.md metadata suggests installing a global npm package (@dlazy/cli@1.0.5). Installing a public npm package globally is a moderate-risk action (it runs code from the npm registry and creates global binaries). The absence of an explicit registry install spec and no authoritative homepage/repo for verification increases uncertainty.
!
Credentials
The skill did not declare any required environment variables or primary credential in the registry metadata, yet the instructions handle 'unauthorized' cases by telling the agent to obtain and save an API key. Requiring the user to reveal/store a secret without it being declared is disproportionate and should be explicit. No other unrelated credentials are requested, but the missing declaration is a red flag.
Persistence & Privilege
always:false and agent invocation is normal. However, the skill directs persistent storage of an API key using the CLI command 'dlazy auth set <key>', which causes credential persistence on the host. That persistence is reasonable for a CLI integration but the skill should document where/how the key is stored and surface this to the user before asking for secrets.
What to consider before installing
This skill appears to call a third-party CLI (dlazy) and instructs the agent to ask you for your dlazy API key and save it. Before installing or providing any secret: (1) do not paste API keys into chat unless you trust the provider and understand where the key will be stored; prefer to run the CLI yourself locally and provide only files/URLs; (2) verify the npm package @dlazy/cli (authors, repository, recent activity) and the domain dlazy.com/oss.dlazy.com; (3) prefer creating a limited-scope or temporary API key if possible; (4) ask the skill owner for an explicit install spec and a declaration that an API key is required (registry should list required env/credentials); (5) avoid global npm installs on shared systems or perform the install in an isolated environment (container/VM) and inspect the package code before running. Providing the above evidence (npm package link/repo, homepage, explicit required credentials) would increase confidence and could change the assessment to benign.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🤖 Clawdis
Binsnpm, npx
latestvk9716k1gecykj0z356xr8vesa985btvj
33downloads
0stars
1versions
Updated 22h ago
v1.0.0
MIT-0
@dlazyai
latest
Download

dlazy-viduq2-i2v

Convert static images into dynamic videos using Vidu Q2 image-to-video model.

Trigger Keywords

  • vidu q2
  • image to video
  • image to dynamic video

Usage

CRITICAL INSTRUCTION FOR AGENT: Run the dlazy viduq2-i2v command to get results.

dlazy viduq2-i2v -h

Options:
  --prompt <prompt>                    Prompt
  --generation_mode <generation_mode>  Generation Mode [default: components] (choices: "components", "frames")
  --images <images...>                 Images [image: url or local path] (max 10) [hidden when generation_mode="frames"]
  --firstFrame <firstFrame>            First Frame [image: url or local path] [only when generation_mode="frames"]
  --lastFrame <lastFrame>              Last Frame [image: url or local path] [only when generation_mode="frames"]
  --subjects <subjects...>             Subjects (max 7) [hidden when generation_mode="frames"]
  --audio <audio>                      Audio [default: false] (choices: "true", "false")
  --audioType <audioType>              Audio Type [default: all] (choices: "all", "speech_only") [hidden when generation_mode="frames"]
  --duration <duration>                Duration (s) [default: 5] (choices: "2", "3", "4", "5", "6", "7", "8", "9", "10")
  --aspectRatio <aspectRatio>          Aspect Ratio [default: 9:16] (choices: "16:9", "9:16", "1:1", "3:4", "4:3", "21:9", "2:3", "3:2")
  --resolution <resolution>            Resolution [default: 720p] (choices: "540p", "720p", "1080p")
  --watermark <watermark>              Watermark [default: false] (choices: "true", "false")
  --wmPosition <wmPosition>            Watermark Position [default: 3] (choices: "1", "2", "3", "4")
  --wmUrl <wmUrl>                      Watermark URL
  --input <spec>                       JSON payload: inline string, @file, or - (stdin)
  --dry-run                            Print payload + cost estimate without calling API
  --no-wait                            Return generateId immediately for async tasks
  --timeout <seconds>                  Max seconds to wait for async completion (default: "1800")
  -h, --help                           display help for command

Output Format

{
  "ok": true,
  "kind": "urls",
  "data": {
    "urls": [
      "https://oss.dlazy.com/result.mp4"
    ]
  }
}

Command Examples

# basic call:
dlazy viduq2-i2v --prompt 'prompt text' --image '/path/to/image.png'

# complex call:
dlazy viduq2-i2v --prompt 'prompt text' --image 'https://oss.dlazy.com/image.png'

Error Handling

CodeError TypeExample Message
401Unauthorized (No API Key)ok: false, code: "unauthorized", message: "API key is missing or invalid"
501Missing required parametererror: required option '--prompt <prompt>' not specified
502Local file read errorError: Image file/Video file not found: C:\path\to\your\file
503API request failed (no balance)ok: false, code: "insufficient_balance"
503API request failed (server error)HTTP status code error (500 server crash)
504Asynchronous task execution failed=== Generation Failed === / {Specific error reason returned by backend, for example "Prompt violates safety policy"}

AGENT CRITICAL INSTRUCTION:

  1. If the execution result returns code: "insufficient_balance", you MUST explicitly inform the user that their credits are insufficient and guide them to recharge: https://dlazy.com/dashboard/organization/settings?tab=credits
  2. If the execution result returns code: "unauthorized" or indicates missing API key, you MUST inform the user to get their API key from https://dlazy.com/dashboard/organization/api-key and send it to you. Once they provide it, save it using dlazy auth set <key> and resume the task.

Tips

Visit https://dlazy.com for more information.

Comments

Loading comments...