API Video Image

The skill mostly does what it says (generate images/videos via an API) but it inconsistently handles configuration and asks to read/modify a user config file without declaring that in its manifest, and it points to a third‑party relay URL in examples — these gaps increase risk and deserve attention before installing.

Before installing or using this skill: (1) Know that it reads API URLs and keys from ~/.openclaw/workspace/USER.md — back up that file and inspect what you put there. (2) Do not place high‑privilege or provider master keys (e.g., your main OpenAI key) into USER.md unless you trust the relay; prefer using an API key scoped to the media service or a dedicated relay account. (3) SKILL.md suggests it may auto‑modify USER.md — confirm whether the agent will actually write to your file and require explicit permission before any write. (4) Verify and prefer trusted endpoints: the SKILL.md example uses jeniya.cn (third‑party); if you must use a relay, use a provider you trust or a direct vendor API endpoint. (5) Consider running the skill in an isolated account or VM first to observe network endpoints it calls and to ensure it only uses keys you expect. (6) If unsure, ask the author to (a) declare the config path/credential requirements in the manifest, (b) provide an option to use environment variables instead of a plaintext file, and (c) document whether the agent will write to USER.md and under what circumstances.