Hd Infoimage
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s image-generation purpose is understandable, but it under-declares local API-key use and relies on unreviewed helper scripts, including one that sends output to Feishu.
Install only if you are comfortable with the agent using your ZenMux API key and external helper scripts. Before running it, confirm where Feishu output will be sent, avoid exposing API keys in chat/logs, and prefer an explicitly declared, reviewed image-generation integration.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may access and expose a provider API key from local OpenClaw configuration when generating images.
The README instructs reading and printing a locally stored ZenMux API key, while the registry declares no required environment variables, credentials, or config paths.
API Key 读取:`cat ~/.openclaw/openclaw.json | python3 -c "import json,sys; d=json.load(sys.stdin); print(d['models']['providers']['ZenMux']['apiKey'])"`
Declare the ZenMux credential and config path explicitly, avoid printing secrets, and use a secure credential handoff limited to the image-generation request.
Image generation depends on external local code whose behavior and provenance are not reviewable from this skill package.
The skill has no code or install spec of its own but instructs running a script from another skill directory that is not included in the reviewed artifacts.
cd /root/.openclaw/workspace/skills/zenmux-image-generation ZENMUX_API_KEY="<key>" python3 scripts/generate.py
Package or declare the required helper skill/script, pin its provenance, and make the dependency clear before asking the agent to run it with credentials.
Generated images derived from the user’s article or private content could be shared to an unclear Feishu destination.
The skill tells the agent to send generated output through a Feishu helper from another skill, without declaring the destination, credentials, data boundaries, or approval step.
生成后用 `send_to_feishu.sh` 发送(见 sketch-illustration skill)
Make Feishu sending optional, require explicit user confirmation, and disclose the exact destination, credentials used, and content being sent.