Back to plugin

Security audit

Plugin

Security checks across malware telemetry and agentic risk

Overview

This plugin is not clearly malicious, but it wraps a very broad media-generation CLI and includes under-disclosed voice cloning, canvas-writing, and credential/environment exposure risks.

Install only if you trust the dLazy CLI and service account context. Expect prompts, local media paths, and generated assets to be sent to dLazy services, and be aware the plugin can use existing local dLazy credentials. Avoid using it in environments with unrelated secrets in environment variables, and do not use the voice-cloning features unless you have explicit permission from the speaker.

VirusTotal

59/59 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/smoke.mjs:81
Evidence
execSync("dlazy --version", { stdio: "ignore" });