ClawHub

Dlazy Website To Video

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed wrapper around the dLazy website-to-video service and does not show hidden, destructive, or deceptive behavior.

Install only if you are comfortable using dLazy as an external service. Treat prompts, URLs, and any files passed with --files as data sent to dLazy, keep the API key in the documented local config or environment variable, and review the pinned @dlazy/cli package/source before running it in sensitive environments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list includes broad English phrases such as "promo video" and "social ad," which can match many unrelated user requests and cause the skill to activate unexpectedly. In this skill, unexpected activation is more sensitive because the workflow can initiate external SaaS interactions, upload local files when used with --files, and encourage authenticated CLI use, increasing the chance of unintended data handling or user redirection to a third-party service.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list includes generic phrases like 'promo video', 'social ad', and 'product demo' without tight constraints tying invocation specifically to URL-to-video workflows. This can cause the skill to activate in overly broad situations, routing unrelated user requests into an external SaaS-backed workflow that uploads data and sends prompts to third-party endpoints, increasing the risk of unintended data exposure or misuse.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal