Dlazy Wan2.7

Security checks across malware telemetry and agentic risk

Overview

This appears to be a disclosed cloud video-generation skill; the main issue is broad trigger wording that could route generic requests to it unintentionally.

Install only if you intend to use this third-party video-generation service. Treat prompts and any attached media as data sent to the provider, protect the API key, and prefer explicit requests such as the product name rather than generic video-generation phrasing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger keyword “视频生成” is overly broad and can cause unintended invocation of this skill for generic user requests. In this skill’s context, accidental activation is more dangerous because the documented workflow can upload local files and send prompts/media to external SaaS endpoints, increasing the risk of unintended data transfer or tool execution.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The trigger keyword "video generation" is generic enough to match many unrelated user requests, which can cause the agent to invoke this third-party cloud skill unexpectedly. In this skill, that is more sensitive because invocation can lead to network calls, use of stored API credentials, and possible upload of local media files to external endpoints.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal