ClawHub

Plugin

Security checks across malware telemetry and agentic risk

Overview

This plugin is not clearly malicious, but it wraps a very broad media-generation CLI and includes under-disclosed voice cloning, canvas-writing, and credential/environment exposure risks.

Install only if you trust the dLazy CLI and service account context. Expect prompts, local media paths, and generated assets to be sent to dLazy services, and be aware the plugin can use existing local dLazy credentials. Avoid using it in environments with unrelated secrets in environment variables, and do not use the voice-cloning features unless you have explicit permission from the speaker.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The manifest markets this as a generation plugin, but the file bundles substantially broader capabilities including planning, execution orchestration, canvas modification, asset search, and long-form adaptation workflows. This scope mismatch can cause users or host systems to grant trust under false assumptions, enabling actions far beyond expected image/video/audio generation.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill includes instructions to call `drawToCanvas` and create workflow nodes on a canvas, which is a state-modifying capability unrelated to simple media generation. If invoked unexpectedly, it can alter user workspaces, create deceptive pipelines, or stage downstream execution without the user understanding that this skill can write into application state.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The bundled public-stock asset search expands the plugin from generation into external content retrieval, which is outside the narrow stated scope. This broadening increases data-flow and provenance risks, and can lead users to unknowingly pull third-party assets into workflows under a plugin they believed was only generative.

Context-Inappropriate Capability

High
Confidence
92% confidence
Finding
The skill bundles long-form webtoon adaptation and agent-orchestration behaviors that go well beyond generation, including staged workflow control and specialist-agent calls. This creates an unexpectedly powerful general-purpose automation surface that could be triggered under the trust envelope of a much narrower plugin description.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly states that the plugin spawns the `dlazy` CLI as a subprocess and allows credential injection via `apiKey`, but it does not warn users that tool inputs may be transformed into command-line flags or that secrets must be handled carefully. In a skill whose purpose is to let an agent invoke arbitrary model commands, missing documentation around subprocess execution, input trust boundaries, and credential exposure increases the chance of unsafe deployment and misuse.

Vague Triggers

Medium
Confidence
86% confidence
Finding
Broad trigger phrases like 'generate' and 'create image, video, audio' are likely to collide with ordinary conversation and cause the skill to activate unintentionally. Because this skill bundles many more capabilities than advertised, accidental invocation can route users into unintended external calls or state-changing workflows.

Vague Triggers

Medium
Confidence
85% confidence
Finding
A generic trigger in the idea-to-video/canvas workflow can activate on common creative requests, even though the underlying behavior includes planning and canvas mutation. This increases the risk of surprising state changes and workflow creation when the user did not explicitly ask for that capability.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The idea2video workflow uses overly generic trigger language while also including complex planning and canvas-writing instructions. That combination makes accidental activation materially more dangerous than a simple content-generation false start.

Missing User Warnings

High
Confidence
97% confidence
Finding
Voice-cloning functionality involves highly sensitive biometric audio and impersonation risk, yet the skill description does not prominently require consent or warn about misuse. This lowers user awareness around a capability that can enable fraud, social engineering, and non-consensual voice replication.

Missing User Warnings

High
Confidence
97% confidence
Finding
The Kling audio cloning section similarly normalizes cloning a real human voice without clear warnings about consent, impersonation, or biometric sensitivity. In context, this is dangerous because the plugin is broadly framed as a general media-generation tool, so users may not appreciate the elevated abuse potential.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The plugin clones the entire parent process environment and passes it to the spawned dlazy subprocess. That can expose unrelated secrets such as cloud credentials, tokens, and internal configuration to the external CLI and anything it invokes, expanding the trust boundary without minimizing or disclosing sensitive environment inheritance.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The manifest explicitly states that an API key may be exported into the tool process and that, absent a provided key, the CLI will use credentials from a local config file. This creates a real security concern because the plugin clearly performs authenticated external network actions but provides no user-facing warning or consent language about credential usage, remote service interaction, or which account context will be used.

VirusTotal

59/59 vendors flagged this plugin as clean.

View on VirusTotal