Back to skill

Security audit

Dlazy Vectorize

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud image-vectorization wrapper, with ordinary SaaS upload and API-key handling risks users should understand.

Install only if you are comfortable using dLazy's hosted service. Treat any local image path passed to the command as an upload to dLazy, prefer `npx @dlazy/cli@1.2.2` if you do not want a persistent global CLI, and consider using `DLAZY_API_KEY` per invocation or checking permissions on `~/.dlazy/config.json` if the machine is shared.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger keyword is a single broad term, "vectorize", which can plausibly appear in ordinary user requests about graphics, embeddings, or general image processing. In an agent environment, overly broad triggers can cause accidental skill activation, leading to unintended execution of external CLI/API actions and possible upload of local image paths to the vendor service.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger keyword `vectorize` is generic and likely to appear in ordinary user requests about image editing or graphics workflows, which can cause the skill to activate unexpectedly. Because this skill installs or invokes a third-party CLI, uploads local files to hosted endpoints, and may require authentication, accidental invocation can lead to unintended network access, file disclosure, or user confusion.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.