Security audit

Dlazy Execute

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate dLazy workflow runner, but its very broad trigger could accidentally start a paid cloud workflow that sends prompts or files to dLazy.

Install only if you intend to use dLazy workflows. Before running it, review each proposed command and any referenced local files, avoid sensitive media or confidential prompts, use a revocable dLazy key, and consider narrowing the trigger to a dLazy-specific phrase such as "dlazy execute".

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: Using a very broad trigger keyword like `execute` increases the chance of accidental invocation during normal conversation or confusion with unrelated commands. In an agent setting, that can cause unintended tool activation, which may lead to unexpected API calls, file uploads to the vendor service, or exposure of user data included in prompts.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger keyword `execute` is extremely generic and is likely to match ordinary user requests unrelated to this specific tool, causing unintended invocation. In this skill, that risk is amplified because invoking the command can send prompts and files to a remote SaaS API and may consume credits, so accidental activation has privacy and cost consequences beyond a harmless misfire.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal