Image Gen Cheap
v1.0.1低成本图片生成与编辑。使用老张 API,最低 $0.01/张。支持文生图、图片编辑。触发词:生成图片、画图、AI 作图、文生图、图片编辑。
⭐ 0· 77·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (low-cost image generation/editing via LaoZhang) matches the included scripts and SKILL.md. The scripts call the LaoZhang endpoint (api.laozhang.ai) and implement text->image and image-edit functionality as described. Minor manifest mismatch: skill.json/version and registry version differ (1.0.0 vs 1.0.1) but this is cosmetic.
Instruction Scope
SKILL.md and README instruct the user to store an API token in ~/.laozhang_api_token or pass it via --token; the scripts read that file. The scripts make outbound network requests to the LaoZhang API and will also download user-supplied image URLs. This behavior is expected for an image-edit/ generation skill, but it means running the skill will transmit prompts and (potentially) image URLs to a third party and fetch arbitrary URLs provided by user input (possible SSRF if untrusted inputs are used).
Install Mechanism
There is no automated install spec; this is essentially instruction + small Python scripts. The only dependency is 'requests' (documented). No remote archives or executable installs are pulled automatically.
Credentials
The registry metadata lists no required credentials, but the runtime instructions and both scripts require an API token (either via --token or the file ~/.laozhang_api_token). The skill therefore needs a secret (LaoZhang API token) even though no primary credential is declared in the manifest. Storing the token in a plaintext file in the home directory (as suggested) is functional but has confidentiality implications — the skill will read that file if present.
Persistence & Privilege
Skill does not request always:true, does not modify other skills or system configuration, and does not create persistent system services. It runs as CLI scripts and only writes files under the current working directory (generated-images) unless a different path is provided.
Assessment
This skill appears to do what it claims (cheap image gen/edit via LaoZhang). Before installing or running it: 1) Verify the LaoZhang service (https://api.laozhang.ai) is trustworthy for your data — prompts and image URLs are sent to that third party. 2) Be aware the scripts read a local token file (~/.laozhang_api_token) or accept --token; the skill manifest does not declare this credential — consider storing tokens securely and not reusing high‑privilege keys. 3) The scripts download images from arbitrary URLs you provide — avoid passing internal or sensitive endpoints to prevent unintended network access (SSRF risk). 4) Check billing/pricing and the affiliate link in the README (aff_code) if you care about referral behavior. 5) If you want stronger guarantees, request the author add an explicit primary credential field to the manifest, support reading a token from a secure env var or secret store, and document exactly what is transmitted to the LaoZhang API. If you trust the LaoZhang provider and accept the token/storage model, this skill is coherent and usable.Like a lobster shell, security has layers — review code before you run it.
latestvk97f3vkw3va46y6pa75cpw2ybh840sp5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.