ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dlazy Wan2.6 R2v

v1.0.0

Accurately generate continuous videos based on reference images using Wan 2.6 R2V.

0· 30·0 current·0 all-time
by@dlazyai
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (generate videos from reference images using Wan 2.6 R2V) aligns with the CLI commands documented (dlazy wan2.6-r2v) and the required binaries (npm/npx) which support installing a CLI. However metadata inside SKILL.md includes an npm install -g @dlazy/cli@1.0.5 while the registry lists no install spec — this mismatch is unexpected and should be clarified.
!
Instruction Scope
The SKILL.md instructs the agent to run the dlazy CLI and read image paths/URLs (expected). However it also mandates the agent ask the user to provide their dlazy API key in chat and to run dlazy auth set <key> to save it, which means the agent will receive a secret from the user. Asking the user to 'send it to you' is broad and increases risk of credential exposure/exfiltration and is not constrained or documented in the registry metadata.
Install Mechanism
There is no install spec in the registry metadata, but SKILL.md's embedded metadata suggests installing @dlazy/cli globally via npm. Instruction-only skills usually don't perform installs; the presence of an install command inside SKILL.md (but not as an explicit install spec) is an inconsistency and could lead to unexpected global npm installs if followed by an agent or operator.
!
Credentials
The registry declares no required environment variables or primary credential, yet the instructions explicitly expect and require a dlazy API key (error handling and a recovery flow that tells the user to obtain and supply an API key). This lack of declaration is disproportionate: the skill effectively requires a secret but doesn't list it as a required credential or primaryEnv.
Persistence & Privilege
The skill is not always-enabled and does not declare config paths. But instructions direct the agent to run dlazy auth set <key>, which will persist credentials into the dlazy CLI's config (local filesystem) — a form of persistence that is not documented in the registry metadata. This creates moderate risk if users are not made aware where keys are stored and how to revoke them.
What to consider before installing
This skill appears to call a third-party dlazy CLI to create videos, which is coherent with its description — but it has three issues you should consider before installing/using it: (1) SKILL.md tells the agent to ask you to paste your dlazy API key into chat and then run dlazy auth set <key>. Do not paste sensitive API keys into an open chat unless you trust the agent and platform; prefer using the platform's secret storage or running the CLI locally yourself. (2) The registry did not declare any required credentials, yet the skill requires an API key; ask the publisher (or avoid the skill) until the credential requirement is explicit. (3) The SKILL.md suggests installing @dlazy/cli globally via npm, but the registry has no formal install spec — verify the package source on npm (or GitHub) before installing, and prefer manual inspection or installing in a controlled environment. If you decide to proceed, ask: Where is the API key stored by dlazy auth set? Can the skill be used in a dry-run mode without providing credentials? Can I run the CLI locally and provide only generated URLs to the agent instead of sending secrets through chat?

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🤖 Clawdis
Binsnpm, npx
latestvk978t5qbfh937cfj5k1evwxr0n85ajmp
30downloads
0stars
1versions
Updated 22h ago
v1.0.0
MIT-0
@dlazyai
latest
Download

dlazy-wan2.6-r2v

Accurately generate continuous videos based on reference images using Wan 2.6 R2V.

Trigger Keywords

  • wan 2.6
  • reference image to video
  • generate video

Usage

CRITICAL INSTRUCTION FOR AGENT: Run the dlazy wan2.6-r2v command to get results.

dlazy wan2.6-r2v -h

Options:
  --prompt <prompt>                    Prompt
  --generation_mode <generation_mode>  Generation Mode [default: components] (choices: "components")
  --images <images...>                 Images [image: url or local path] (max 10)
  --size <size>                        Size [default: 720*1280] (choices: "1280*720", "720*1280", "960*960", "1088*832", "832*1088", "1920*1080", "1080*1920", "1440*1440", "1632*1248", "1248*1632")
  --duration <duration>                Duration (s) [default: 5] (choices: "2", "3", "4", "5", "6", "7", "8", "9", "10")
  --shotType <shotType>                Shot Type [default: single] (choices: "single", "multi")
  --watermark <watermark>              Watermark [default: false] (choices: "true", "false")
  --input <spec>                       JSON payload: inline string, @file, or - (stdin)
  --dry-run                            Print payload + cost estimate without calling API
  --no-wait                            Return generateId immediately for async tasks
  --timeout <seconds>                  Max seconds to wait for async completion (default: "1800")
  -h, --help                           display help for command

Output Format

{
  "ok": true,
  "kind": "urls",
  "data": {
    "urls": [
      "https://oss.dlazy.com/result.mp4"
    ]
  }
}

Command Examples

# basic call:
dlazy wan2.6-r2v --prompt 'prompt text' --image '/path/to/image.png'

# complex call:
dlazy wan2.6-r2v --prompt 'prompt text' --image 'https://oss.dlazy.com/image.png'

Error Handling

CodeError TypeExample Message
401Unauthorized (No API Key)ok: false, code: "unauthorized", message: "API key is missing or invalid"
501Missing required parametererror: required option '--prompt <prompt>' not specified
502Local file read errorError: Image file/Video file not found: C:\path\to\your\file
503API request failed (no balance)ok: false, code: "insufficient_balance"
503API request failed (server error)HTTP status code error (500 server crash)
504Asynchronous task execution failed=== Generation Failed === / {Specific error reason returned by backend, for example "Prompt violates safety policy"}

AGENT CRITICAL INSTRUCTION:

  1. If the execution result returns code: "insufficient_balance", you MUST explicitly inform the user that their credits are insufficient and guide them to recharge: https://dlazy.com/dashboard/organization/settings?tab=credits
  2. If the execution result returns code: "unauthorized" or indicates missing API key, you MUST inform the user to get their API key from https://dlazy.com/dashboard/organization/api-key and send it to you. Once they provide it, save it using dlazy auth set <key> and resume the task.

Tips

Visit https://dlazy.com for more information.

Comments

Loading comments...