Back to skill

Security audit

讲解视频 Explainer Video

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed dLazy document-to-video integration, with expected cloud processing and API-key use for its stated video-generation purpose.

Install only if you are comfortable sending prompts and any attached files to dLazy's cloud service. Avoid attaching sensitive documents unless dLazy's terms and your organization's data rules allow it, and rotate or revoke the stored API key if access is no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The top-level description is broad enough to trigger on generic requests about presentations, courseware, or training content, which can cause the agent to invoke this external SaaS-backed skill when the user did not explicitly ask for document-to-video generation. Because the skill uploads user-supplied files to remote endpoints and requires persistent project context, over-triggering increases the risk of unintended data disclosure and unnecessary external execution.

Vague Triggers

Medium
Confidence
85% confidence
Finding
Several trigger phrases, such as broad document/video and training-related terms, are underspecified and may match ordinary help requests that do not require this skill. In this skill's context, mistaken activation is more dangerous because attached local files are uploaded to `files.dlazy.com` and prompts are sent to `api.dlazy.com`, so an overly loose trigger can route sensitive content to a third-party service without sufficiently specific user intent.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list contains broad terms such as 'explainer video' and 'document to video' that can match many ordinary user requests without clearly signaling when this specific external SaaS skill should be invoked. Over-broad activation can cause unintended routing of user content and attached files to the dLazy service, increasing privacy and data-handling risk even if the skill itself is not overtly malicious.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.