Back to skill

Security audit

Dlazy Detect

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it needs review because it can upload sensitive media to dLazy services and the current CLI does not appear to expose the advertised detect command.

Install only if you are comfortable with local media being sent to dLazy-hosted storage and analysis services, and avoid private faces, voices, confidential videos, or regulated data unless you have confirmed retention and deletion terms. Also verify the CLI currently supports the `detect` command before relying on this skill, because the inspected latest CLI manifest did not list it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list includes broad, generic terms such as "detect" that can match many unrelated user requests and cause this skill to activate unexpectedly. Because this skill can upload local files and call a remote API, accidental invocation increases the chance of unintended data transfer, unwanted API usage, and confusing or privacy-impacting behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that local image, video, and audio files are automatically uploaded to dLazy media storage and then sent to backend services, but it does not present a prominent privacy and data-transfer warning at the point of use. In this context, the risk is elevated because users may provide sensitive biometric media such as faces, voices, or private videos, creating a meaningful chance of unintentional exfiltration to third-party infrastructure.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger keywords include broad phrases like 'detect' and 'is this AI', which can cause the skill to activate during ordinary conversation unrelated to explicit user intent. In this skill's context, accidental invocation is more concerning because it can lead to local media being processed and potentially uploaded to external services, creating privacy and consent risks.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill states that local files are automatically uploaded to dLazy media storage and analyzed remotely, but this data-transfer behavior is not surfaced as a prominent privacy/security warning before use. Because the skill handles user-supplied images, videos, and audio, silent or poorly disclosed external upload can expose sensitive personal, biometric, or confidential media to third-party infrastructure without informed consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.