LrshuAI Text To Image
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to generate images through an external API, but it explicitly tells the agent to bypass the normal OpenClaw runner and run Python directly while using an API key and optionally uploading local media.
Review this skill before installing. Its image-generation behavior is mostly coherent, but the direct-Python/no-`openclaw run` instruction is unusual. If you proceed, use a limited TEAM_API_KEY, verify the API endpoint, and only pass media files you are comfortable uploading.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run the script through the system Python path instead of the expected platform runner, which can reduce clarity about approvals, logging, and execution scope.
The skill gives an absolute instruction to avoid the normal OpenClaw runner and invoke a local Python script directly. Because that script performs network calls using a bearer API key, this is a material execution-boundary concern rather than just a harmless example command.
你**绝对不能**使用 `openclaw run`。你**必须**直接通过系统自带的 `python` 命令来运行 `script/invoke_model.py`。
Install only if you are comfortable with direct Python execution. Prefer a version that explains why `openclaw run` must be avoided or that supports the standard runner path.
The skill can spend or use whatever authority the provided TEAM_API_KEY grants, and a misconfigured endpoint could receive the key and request payload.
The script uses the declared `TEAM_API_KEY` as a bearer token for the remote API. It also allows the API destination to be changed with `TEAM_BASE_URL`, so the credential destination should be trusted.
api_key = os.getenv('TEAM_API_KEY') ... "Authorization": f"Bearer {api_key}" ... base_url = os.getenv('TEAM_BASE_URL', 'https://dlazy.com/api/ai/tool')Use a least-privileged API key, verify `TEAM_BASE_URL` is unset or points to a trusted endpoint, and rotate the key if you suspect it was exposed.
Reference images or videos provided to the skill may be uploaded to the provider API, which could expose sensitive local media if the wrong path is used.
If the agent passes `--image`, `--image-tail`, or `--video`, the script reads the selected local file, base64-encodes it, and sends it to the external API.
parser.add_argument('--image' ...); parser.add_argument('--video' ...); b64_data = encode_file_to_base64(args.image); ... requests.post(endpoint, headers=headers, json=payload)Only provide files you intend to upload, avoid sensitive local media, and confirm the destination service is acceptable before using image or video options.