Dlazy Viduq2 T2i

Security checks across malware telemetry and agentic risk

Overview

This appears to be a disclosed dLazy cloud image-generation skill, with the main caution that broad trigger phrases could invoke it more often than intended.

Install only if you are comfortable sending image prompts and any selected local media files to dLazy. Use provider-specific wording when invoking it, avoid sensitive images unless appropriate for that service, and review how the dLazy API key is stored or supplied before first use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger keywords include broad everyday phrases like '生成图片、编辑图片', which can cause the skill to be invoked in contexts the user did not explicitly intend. In an agent environment, overbroad routing can lead to accidental transmission of prompts or local file paths to an external SaaS API, increasing privacy and data-handling risk.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger keywords are broad and generic (for example, 'generate image, edit image' and 'text to image, image to image'), which can cause this skill to be selected in contexts far beyond the specific Vidu Q2 tool. That increases the chance an agent will invoke this external SaaS-backed skill unnecessarily, sending user prompts or local image paths to remote endpoints without sufficiently specific user intent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal