TensorLab Image
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: tensorslab-image Version: 1.0.1 The skill bundle provides a legitimate interface for interacting with the TensorsLab image generation and editing API. The Python script (scripts/tensorslab_image.py) is well-structured, focusing on API communication, task polling, and image downloading to a local directory. The documentation (SKILL.md and references/) provides clear instructions for the AI agent to perform image-related tasks without any evidence of malicious intent, data exfiltration, or unauthorized command execution.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may consume TensorsLab credits and relies on protecting the API key.
The script reads a provider API key from the environment and sends it as a bearer token to TensorsLab, which is expected for this integration but gives the skill access to the user's TensorsLab account quota.
api_key = os.environ.get("TENSORSLAB_API_KEY") ... "Authorization": f"Bearer {api_key}"Use a dedicated/revocable TensorsLab API key if possible, avoid sharing logs that include credentials, and rotate the key if it is exposed.
Any selected local image, including photos of people or private material, may be sent to TensorsLab for processing.
For image-to-image and editing workflows, local source images supplied to the script are opened and included in the multipart request to the external TensorsLab API.
for img_path in source_images:
f = open(img_path, "rb")
...
files.append(("sourceImage", (os.path.basename(img_path), f)))Only provide image files you are comfortable uploading to the provider, and check TensorsLab's privacy and retention terms for sensitive images.
Users who rely on a local or corporate proxy for network routing, monitoring, or access control may not get the expected proxy behavior for this script.
The HTTP session explicitly clears proxy settings for this client, which may bypass a user's configured proxy for these provider calls.
_SESSION = requests.Session()
_SESSION.proxies = {"http": "", "https": ""}If proxy use is required, review or modify this session configuration before running the script.
Outputs could be mistaken for unedited or authentic images if shared without disclosure.
The face replacement prompt template asks for edits that are hard to detect, which is disclosed and user-directed but can affect trust in generated media.
The result should look natural and undetectable as an edit.
Use face replacement and watermark/object removal only with appropriate rights and consent, and disclose edits when sharing results.