SearchOnlineAssets
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can read the stored config or environment variable may be able to use the user's dLazy organization API access.
The skill requires an organization-scoped API credential and may store it locally. This is disclosed and aligned with the service integration, but it is still account authority users should protect.
All requests require a dLazy API key... The CLI saves the key in your user config directory (`~/.dlazy/config.json` ...). You can also supply the key per-invocation via the `DLAZY_API_KEY` environment variable.
Use this only in trusted workspaces, keep the key out of shared logs/files, and rotate or revoke the key if the environment is compromised.
Installing or running the CLI executes code that was not included in this artifact review.
The skill points users to an external npm package, but the reviewed artifacts contain no package code, and the documentation has a version mismatch between 1.0.8 and 1.0.9.
install: 'npm install -g @dlazy/cli@1.0.9' ... `npx @dlazy/cli@1.0.9 <command>` ... npm package: `@dlazy/cli` (pinned to `1.0.8` in this skill's install spec)
Review the npm package and GitHub source before installing, and verify which package version is intended.
Search queries may reveal user intent or project context to dLazy/Pixabay-related services.
The artifacts disclose that search terms and filters leave the local workspace and are handled by external provider endpoints.
The query and filter parameters you provide are forwarded to the Pixabay API ... apiEndpoints: ['api.dlazy.com', 'files.dlazy.com']
Avoid using confidential names, unreleased project details, or sensitive personal information as search queries unless those disclosures are acceptable.