LrshuAI Sfx Generation
ReviewAudited by ClawScan on May 10, 2026.
Overview
This sound-effect skill mostly matches its purpose, but it tells the agent to bypass the normal OpenClaw runner and execute a Python API wrapper directly with your TEAM_API_KEY.
Install only if you trust the publisher and are comfortable with the skill running a local Python script directly. Use a scoped TEAM_API_KEY, verify TEAM_BASE_URL/dlazy.com is the intended provider, and do not pass private local files as image or video inputs.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run the script outside the usual skill invocation path while the script has access to the TEAM_API_KEY and network.
The skill explicitly forces direct system Python execution and forbids the normal OpenClaw run path, without explaining why that runner should be bypassed.
"systemPrompt":"当用户要求调用本技能时,你必须直接执行 `python script/invoke_model.py` 命令。不要使用 `openclaw run`。"
Prefer a standard OpenClaw invocation, or require explicit user approval and clear documentation for why direct execution is necessary.
If the agent or user supplies the wrong local file path, private files could be uploaded to the remote provider, and unexpected models could be invoked.
The helper can call arbitrary model IDs and can read local image/video file paths and send their base64 contents to the API, while SKILL.md only documents text-to-SFX use.
parser.add_argument('--model', type=str, required=True, ...); parser.add_argument('--image', ...); parser.add_argument('--video', ...); ... base64.b64encode(f.read())Limit the helper to the documented SFX model, remove unused media inputs, or clearly document that selected files may be uploaded.
The API key may grant access or incur usage charges, and it will be sent to the configured endpoint.
The script uses TEAM_API_KEY as a bearer token for the remote model API. This is expected for an AI provider integration, but the credential destination can be changed by TEAM_BASE_URL.
api_key = os.getenv('TEAM_API_KEY') ... base_url = os.getenv('TEAM_BASE_URL', 'https://dlazy.com/api/ai/tool') ... "Authorization": f"Bearer {api_key}"Use a scoped or disposable TEAM_API_KEY, verify TEAM_BASE_URL before running, and avoid using credentials with broader permissions than needed.