Text Storyboard Script
ReviewAudited by ClawScan on May 10, 2026.
Overview
Review recommended: the skill says it is text-only, but its metadata and setup ask for a dLazy CLI/API key and allow cloud media generation and uploads.
Use this skill cautiously. If you only need storyboard text, do not run the dLazy CLI or provide an API key. If you do want the dLazy integration, review the npm package first, use a revocable API key, and avoid uploading sensitive scripts or media.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could treat this as permission to run an external generation CLI even when the user expected only a text storyboard.
The skill simultaneously permits CLI-based image rendering and says tools must not be invoked for media assets, leaving the agent's allowed actions ambiguous.
openclaw.systemPrompt: "你可以通过调用 dlazy CLI 的各类生成模型(如 dlazy seedream-4.5 等)来完成实际的图片渲染。" ... "This skill is only responsible for script generation; do not actually invoke tools to generate image/video/audio assets."
Install only if you intend to use the dLazy CLI integration; otherwise, remove or ignore the CLI/rendering instructions and use the skill for text output only.
A dLazy credential may be stored locally and used by the CLI, potentially allowing cloud API actions under the user's organization.
The skill requires and persists a provider API key, which is high-impact account authority for a skill whose main purpose is described as text-only script generation.
所有请求都需要 dLazy API key... `dlazy login`... 登录成功后 **自动把 API key 写入本地 CLI 配置**
Use a dedicated, revocable dLazy API key if needed, verify the account scope, and revoke or rotate the key after testing.
Installing or running the CLI executes third-party code on the user's machine.
The skill asks users to install or run an external npm CLI package. It is pinned and source links are disclosed, but the package code is outside the provided scanned artifacts.
`npm install -g @dlazy/cli@1.0.9` ... `npx @dlazy/cli@1.0.9 <command>`
Review the linked GitHub/npm package before installation, prefer `npx @dlazy/cli@1.0.9` for one-off use, and avoid global installation unless needed.
Private scripts, prompts, or media files could leave the local environment and be processed or hosted by dLazy services.
The skill discloses that prompts, parameters, and selected media files may be sent to dLazy cloud services, which is broader than a local text-only storyboard task.
你提供的提示词与参数会发送到 dLazy API(`api.dlazy.com`)... 本地文件路径会被 CLI 上传到 dLazy 媒体存储(`files.dlazy.com`)
Do not provide confidential scripts or media unless you accept dLazy's cloud processing; confirm exactly which files are being uploaded before running CLI commands.