ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dlazy Viduq2 T2i

v1.0.0

Generate high-quality images with Vidu Q2. Supports text-to-image and image-to-image.

0· 33·0 current·0 all-time
by@dlazyai
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Vidu Q2 image generation) aligns with the instruction to run a dlazy CLI command. Requiring npm/npx is reasonable because the SKILL metadata suggests installing @dlazy/cli. However, the skill's manifest does not declare the API key or primary credential even though the runtime instructions clearly require one; that omission is an inconsistency.
!
Instruction Scope
Runtime instructions explicitly tell the agent to ask the user for their API key and run 'dlazy auth set <key>' to save it, and to run the 'dlazy viduq2-t2i' CLI which can accept local file paths (the CLI may read and upload local files). Instructions therefore extend beyond purely composing prompts: they solicit secrets and operate on user files. The skill does not clearly limit or warn about uploading local files or how keys are stored.
Install Mechanism
The SKILL metadata includes 'npm install -g @dlazy/cli@1.0.5' (a standard npm install). Top-level registry data lists no install spec, creating a mismatch between declared install behavior in the SKILL and the registry record. Installing a global npm package is a moderate-risk operation (downloads code from the npm registry); this is plausible for a CLI-based integration but should be clearly documented in the registry metadata.
!
Credentials
The registry lists no required env vars or primary credential, yet the instructions explicitly require an API key (and instruct the agent to ask the user to paste it). Requesting user secrets without declaring them in the skill metadata is disproportionate and raises risk of accidental key exposure. The agent is instructed to store the provided key via the CLI but there is no detail about storage location/permissions.
Persistence & Privilege
The skill does not set always:true and does not request system-wide privileges, which is good. However, it explicitly tells the agent to run 'dlazy auth set <key>' to persist credentials (likely writing to local config), so installing and using the CLI will create persistent auth state outside the agent's manifest. That behavior is plausible for a CLI but should be disclosed in metadata.
What to consider before installing
This skill appears to be a thin wrapper around a third‑party CLI (@dlazy/cli) for image generation, which is reasonable — but it has some important gaps. Before installing or using it: - Do not paste your API keys into chat. The skill instructs the agent to request and save your API key; instead, consider running 'dlazy auth set <key>' yourself in a terminal you control, or set the key in a secure environment variable. - Verify the CLI package (@dlazy/cli@1.0.5) on the npm registry and review its source; global npm installs run third‑party code on your machine. - Understand that providing local file paths may upload those files to dlazy's servers (oss.dlazy.com). Avoid sending sensitive files. - Because the skill did not declare the API key in its metadata, treat the request for credentials as an inconsistency — ask the skill author or publisher for a clearer security notice describing where credentials are stored and how uploaded files are handled. If you are not comfortable auditing the npm package or handling secrets, run the CLI locally yourself rather than giving credentials to the agent.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🤖 Clawdis
Binsnpm, npx
latestvk979gm6ctph2k1w5m02pzjzryh85be6y
33downloads
0stars
1versions
Updated 22h ago
v1.0.0
MIT-0
@dlazyai
latest
Download

dlazy-viduq2-t2i

Generate high-quality images with Vidu Q2. Supports text-to-image and image-to-image.

Trigger Keywords

  • vidu q2
  • generate image, edit image
  • text to image, image to image

Usage

CRITICAL INSTRUCTION FOR AGENT: Run the dlazy viduq2-t2i command to get results.

dlazy viduq2-t2i -h

Options:
  --prompt <prompt>                    Prompt
  --generation_mode <generation_mode>  Generation Mode [default: components] (choices: "components")
  --images <images...>                 Images [image: url or local path] (max 10)
  --aspectRatio <aspectRatio>          Aspect Ratio [default: 9:16] (choices: "16:9", "9:16", "1:1", "3:4", "4:3", "21:9", "2:3", "3:2")
  --resolution <resolution>            Resolution [default: 1080p] (choices: "1080p", "2K", "4K")
  --input <spec>                       JSON payload: inline string, @file, or - (stdin)
  --dry-run                            Print payload + cost estimate without calling API
  --no-wait                            Return generateId immediately for async tasks
  --timeout <seconds>                  Max seconds to wait for async completion (default: "1800")
  -h, --help                           display help for command

Output Format

{
  "ok": true,
  "kind": "urls",
  "data": {
    "urls": [
      "https://oss.dlazy.com/result.mp4"
    ]
  }
}

Command Examples

# basic call:
dlazy viduq2-t2i --prompt 'prompt text' --image '/path/to/image.png'

# complex call:
dlazy viduq2-t2i --prompt 'prompt text' --image 'https://oss.dlazy.com/image.png'

Error Handling

CodeError TypeExample Message
401Unauthorized (No API Key)ok: false, code: "unauthorized", message: "API key is missing or invalid"
501Missing required parametererror: required option '--prompt <prompt>' not specified
502Local file read errorError: Image file/Video file not found: C:\path\to\your\file
503API request failed (no balance)ok: false, code: "insufficient_balance"
503API request failed (server error)HTTP status code error (500 server crash)
504Asynchronous task execution failed=== Generation Failed === / {Specific error reason returned by backend, for example "Prompt violates safety policy"}

AGENT CRITICAL INSTRUCTION:

  1. If the execution result returns code: "insufficient_balance", you MUST explicitly inform the user that their credits are insufficient and guide them to recharge: https://dlazy.com/dashboard/organization/settings?tab=credits
  2. If the execution result returns code: "unauthorized" or indicates missing API key, you MUST inform the user to get their API key from https://dlazy.com/dashboard/organization/api-key and send it to you. Once they provide it, save it using dlazy auth set <key> and resume the task.

Tips

Visit https://dlazy.com for more information.

Comments

Loading comments...