Skillv1.0.5

ClawScan security

Image Marketing Brochure · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 2:36 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and instructions are coherent with a brochure-design workflow that uses the dLazy CLI/API; it asks for a CLI install and an API key and instructs the agent to run the dLazy commands and upload media to dLazy's storage, which matches its stated purpose.
Guidance: This skill appears to do what it says: it is a workflow wrapper around the dLazy CLI/API for brochure image generation. Before installing or using it: 1) Review the referenced GitHub repo and the npm package code (or use npx rather than a global install) to confirm there are no unexpected behaviors. 2) Be aware that any local file paths you provide will be uploaded to dlazy's media storage (oss.dlazy.com); do not pass sensitive files. 3) The skill requires a dLazy API key — only create/use a key if you trust dlazy.com; you can rotate or revoke the key from the dashboard. 4) The instructions tell the agent to run terminal commands on your machine; permit this only if you are comfortable with the CLI and its privileges. 5) The SKILL's prohibition on saving prompts to files is unusual — consider whether that restriction affects your audit or record-keeping needs. If you want higher assurance, ask the maintainer for a link to a specific commit or release artifact to audit before installing.

Review Dimensions

Purpose & Capability: okName/description match what the skill asks for: it requires npm/npx and is a thin client over the dLazy hosted API. The metadata and runtime instructions reference @dlazy/cli, api.dlazy.com and oss.dlazy.com which are consistent with a cloud image-generation workflow.
Instruction Scope: noteSKILL.md explicitly instructs the agent to execute terminal dlazy commands and to upload any local files referenced to dLazy's media storage. That behavior is coherent for image generation, but it means any local file path you supply will be uploaded to an external service. The SKILL also contains explicit operational constraints (e.g., 'do not save prompts to any file', 'execute one synchronous command at a time') — these are unusual but not inherently malicious. Confirm you are comfortable with CLI execution and with uploading any local files you reference.
Install Mechanism: noteThe registry has no formal install spec, but SKILL.md/metadata recommend installing the npm package @dlazy/cli@1.0.8 or using npx. Installing an npm package is a normal approach; prefer npx for one-off use and review the GitHub repo (github.com/dlazyai/cli) before global install to verify code and permissions.
Credentials: okThe skill does not demand unrelated credentials. It legitimately requires a dLazy API key to call the dLazy API, and explains the CLI will persist the key in ~/.dlazy/config.json or accept DLAZY_API_KEY per invocation. This is proportional to the cloud-generation purpose.
Persistence & Privilege: okalways is false and the skill does not request system-wide privileges or to modify other skills. The CLI will persist a config file in the user's home directory when you perform an auth flow; that is expected for a CLI client. As with any tool that can run commands, allow only if you trust the package and service.