img2-generate-only
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill's goal is clear, but it asks for an API key and tells the agent to run an unpackaged hard-coded local Python script, so users should review it before use.
Review or obtain the referenced Python script before using this skill. Do not pass a real API key unless you trust both the script and the configured base_url, and prefer safer secret handling instead of command-line arguments.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may fail on most systems, or it may run whatever script happens to exist at that path; that script would receive the image prompt and API key.
The skill's runtime depends on a hard-coded absolute-path script, but the supplied package contains no such script or install spec. If invoked, the agent would run unreviewed local code.
python3 /home/ye/.openclaw/workspace/scripts/img2_generate_only.py
Package the script with the skill, provide an install spec, avoid user-specific absolute paths, and review the script before passing real credentials to it.
A real API key could authorize charges or account access with the configured provider, and command-line secrets may be exposed through shell history or process listings.
The skill explicitly requires a provider API key and demonstrates passing it as a command-line argument. This is expected for the image API, but the key is sensitive.
### 3)`api_key` 接口密钥。 ... --api_key "sk-xxxx"
Use only trusted API endpoints, prefer a secret manager or environment-based credential handling, and avoid placing real keys directly in command examples or logs.
Prompts and credentials are sent to the configured endpoint, and files are written to the configured local path.
The skill sends requests to a user-supplied API base URL and writes the generated image to a local output directory. This matches the stated purpose but should be used with trusted inputs.
`base_url` ... `{base_url}/images/generations` ... `output_dir` ... `/tmp/generated-images`Confirm the base URL belongs to the intended provider and choose an output directory that is safe for generated files.