ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dlazy Jimeng I2v First

v1.0.4

Generate dynamic videos based on a single first frame image and prompts using Jimeng.

0· 552·1 current·1 all-time
bydlazy@dlazyai

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for dlazyai/dlazy-jimeng-i2v-first.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Dlazy Jimeng I2v First" (dlazyai/dlazy-jimeng-i2v-first) from ClawHub.
Skill page: https://clawhub.ai/dlazyai/dlazy-jimeng-i2v-first
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: npm, npx
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install dlazy-jimeng-i2v-first

ClawHub CLI

Package manager switcher

npx clawhub@latest install dlazy-jimeng-i2v-first
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (image→video via Jimeng) matches the instructions which call the dLazy CLI. Requiring npm/npx to run or install the CLI is reasonable. However, the skill metadata in the SKILL.md and the registry show inconsistent version numbers (SKILL.md frontmatter v1.0.2, registry v1.0.4, metadata.install pins @dlazy/cli@1.0.6), which is unexpected and should be clarified.
!
Instruction Scope
Runtime instructions direct the agent to run the dLazy CLI which will upload any local image/video/audio paths to oss.dlazy.com. That is coherent for a cloud media generation tool, but it does mean the agent (and user) must expect local files to be transmitted to an external service. The SKILL also contains explicit agent-only directives (how to respond to insufficient_balance/unauthorized) which are fine but grant the skill strong behavioral guidance. There is no instruction to read unrelated system files, but the CLI will read/write the user's config at ~/.dlazy/config.json (storing API keys).
Install Mechanism
This is an instruction-only skill with no install spec in the registry, but metadata suggests installing a pinned npm package or using npx. Using npx executes remote code on demand (pulls package from npm) — expected for a CLI but higher-risk than an instruction-only wrapper because it fetches and runs third-party code. The referenced package and GitHub repo should be reviewed before installing.
!
Credentials
Registry metadata lists no required env vars, yet the SKILL.md states that a dLazy API key is required and can be provided via DLAZY_API_KEY or stored with `dlazy auth set`. The skill failing to declare the API credential as a required env variable/config requirement is an inconsistency. Also note the CLI will persist the API key to ~/.dlazy/config.json, which is expected but important for users to know (local credential storage).
Persistence & Privilege
always is false (no forced inclusion). The CLI will write the user's own config file (~/.dlazy/config.json) for storing API keys — normal for a CLI but it does create persistent credentials on disk. The skill does not request system-wide privileges or alter other skills' configs.
Scan Findings in Context
[no-regex-findings] expected: The static scanner found no code to analyze (skill is instruction-only). That absence is expected but provides limited assurance; the real security surface is the external npm package and the dLazy service the CLI contacts.
What to consider before installing
Before installing or running this skill: 1) Confirm you are comfortable that any local images/videos passed to the CLI will be uploaded to oss.dlazy.com (this is necessary for cloud generation). 2) The CLI requires a dLazy API key (can be set with `dlazy auth set` or via DLAZY_API_KEY); the skill did not declare this credential in registry metadata—treat it as required. 3) Review the referenced npm package (@dlazy/cli) and its GitHub repo (https://github.com/dlazyai/cli) and the exact pinned version before running npm install or npx, since npx will download/execute remote code. 4) Note the CLI stores the API key in ~/.dlazy/config.json — rotate/revoke keys as needed and consider using per-invocation env vars for sensitive contexts. 5) Clarify/version-check with the skill author about the inconsistent version numbers in the manifest (1.0.2 / 1.0.4 / install pinned 1.0.6). If you need higher assurance, ask the publisher for a reproducible install snapshot or prefer running the CLI in an isolated environment/container and inspect its source before use.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🤖 Clawdis
Binsnpm, npx
latestvk972krdz63th60wby3arwb4nrs85nyrm
552downloads
0stars
5versions
Updated 23h ago
v1.0.4
MIT-0
dlazy@dlazyai
latest
Download

dlazy-jimeng-i2v-first

English · 中文

Generate dynamic videos based on a single first frame image and prompts using Jimeng.

Trigger Keywords

  • jimeng image to video
  • first frame to video
  • image to video

Authentication

All requests require a dLazy API key, configured through the CLI:

dlazy auth set YOUR_API_KEY

The CLI saves the key in your user config directory (~/.dlazy/config.json on macOS/Linux, %USERPROFILE%\.dlazy\config.json on Windows), with file permissions restricted to your OS user account. You can also supply the key per-invocation via the DLAZY_API_KEY environment variable.

Getting Your API Key

  1. Sign in or create an account at dlazy.com
  2. Go to dlazy.com/dashboard/organization/api-key
  3. Copy the key shown in the API Key section

Each key is scoped to your dLazy organization and can be rotated or revoked at any time from the same dashboard.

About & Provenance

You can install on demand without persisting a global binary by running:

npx @dlazy/cli@1.0.6 <command>

Or, if you prefer a global install, the skill's metadata.clawdbot.install field declares the exact pinned version (npm install -g @dlazy/cli@1.0.6). Review the GitHub source before installing.

How It Works

This skill is a thin client over the dLazy hosted API. When you invoke it:

  • Prompts and parameters you provide are sent to the dLazy API endpoint (api.dlazy.com) for inference.
  • Any local file paths you pass to image / video / audio fields are uploaded to dLazy's media storage (oss.dlazy.com) so the model can read them — the same flow as any cloud-based generation API.
  • Generated output URLs returned by the API are hosted on oss.dlazy.com.

This is the standard SaaS pattern; the skill itself does not access network or filesystem resources beyond what the dLazy CLI already handles. See dlazy.com for the full service terms.

Usage

CRITICAL INSTRUCTION FOR AGENT: Run the dlazy jimeng-i2v-first command to get results.

dlazy jimeng-i2v-first -h

Options:
  --prompt <prompt>                    Prompt
  --firstFrame <firstFrame>            First Frame [image: url or local path]
  --duration <duration>                Duration (s) [default: 5] (choices: "5", "10")
  --input <spec>                       JSON payload: inline string, @file, or - (stdin)
  --dry-run                            Print payload + cost estimate without calling API
  --no-wait                            Return generateId immediately for async tasks
  --timeout <seconds>                  Max seconds to wait for async completion (default: "1800")
  -h, --help                           display help for command

Output Format

{
  "ok": true,
  "kind": "urls",
  "data": {
    "urls": [
      "https://oss.dlazy.com/result.mp4"
    ]
  }
}

Command Examples

# basic call:
dlazy jimeng-i2v-first --prompt 'prompt text' --image '/path/to/image.png'

# complex call:
dlazy jimeng-i2v-first --prompt 'prompt text' --image 'https://oss.dlazy.com/image.png'

Error Handling

CodeError TypeExample Message
401Unauthorized (No API Key)ok: false, code: "unauthorized", message: "API key is missing or invalid"
501Missing required parametererror: required option '--prompt <prompt>' not specified
502Local file read errorError: Image file/Video file not found: C:\path\to\your\file
503API request failed (no balance)ok: false, code: "insufficient_balance"
503API request failed (server error)HTTP status code error (500 server crash)
504Asynchronous task execution failed=== Generation Failed === / {Specific error reason returned by backend, for example "Prompt violates safety policy"}

AGENT CRITICAL INSTRUCTION:

  1. If the execution result returns code: "insufficient_balance", you MUST explicitly inform the user that their credits are insufficient and guide them to recharge: https://dlazy.com/dashboard/organization/settings?tab=credits
  2. If the execution result returns code: "unauthorized" or indicates missing API key, you MUST inform the user to get their API key from https://dlazy.com/dashboard/organization/api-key and save it using dlazy auth set <key> and resume the task.

Tips

Visit https://dlazy.com for more information.

Comments

Loading comments...