可灵视频生成

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a disclosed Kling video-generation integration, with the main caution being that it sends prompts and selected media files to a hosted API.

Install only if you trust the dLazy CLI and service. Treat the API key as sensitive, expect prompts and selected media inputs to be uploaded to dLazy endpoints, and prefer per-run npx usage or a reviewed pinned install if you do not want a persistent global binary.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The trigger description uses broad catch-all language such as '包括但不限于' and '凡是涉及...都应触发', which can cause the skill to activate for loosely related requests. Overbroad triggering can route unintended user inputs into a shell-backed workflow, increasing the chance of misuse, surprise execution, or inappropriate handling of content outside the intended scope.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal