Back to skill

Security audit

Dlazy Script

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed dLazy storyboard generator, but its very broad trigger word could cause unintended cloud API calls or file uploads.

Review before installing if your agent auto-invokes skills from trigger words. Use this only when you are comfortable sending prompts and any referenced files to dLazy, and prefer the environment variable option if you do not want the API key saved locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger keyword is a single, generic term ('script'), which is highly likely to collide with ordinary user requests or other tools. In an agentic environment, this can cause unintended activation of the skill, leading to surprise execution of an external CLI/API workflow and unintended transmission of prompts or referenced files to a third-party service.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger keyword `script` is extremely generic and likely to appear in many unrelated user requests, increasing the chance this skill is invoked unintentionally. Because the skill forwards prompts and optional local files to a hosted API, accidental activation can cause unintended data transmission, billing, or execution of cloud-side actions the user did not mean to request.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.