Dlazy Wan2.6 R2v Flash

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed dLazy video-generation skill that uses a pinned external CLI and cloud API, with no artifact evidence of hidden or destructive behavior.

Install only if you intend to use dLazy's hosted service. Before invoking it, confirm that you want prompts and any referenced media files uploaded to dLazy, and be aware that API use may consume account credits. Prefer npx or review the pinned CLI source before a global install, and rotate or revoke the API key from the dLazy dashboard if needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger keywords are overly broad, including generic terms like '生成视频' that can match ordinary user requests unrelated to this specific third-party SaaS tool. In an agent environment, that increases the chance of unintended tool invocation, which may cause unexpected network calls, file uploads, or paid API usage to an external service.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger keywords include very generic phrases such as "generate video," which can match common user requests unrelated to this specific tool. Overly broad activation increases the chance the agent invokes this external SaaS skill unexpectedly, causing unintended data disclosure, unnecessary API usage, or surprise charges if user prompts or local files are forwarded to the vendor service.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal