LrshuAI Text To Speech
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill does perform text-to-speech-style API calls, but it also explicitly tells the agent to bypass the normal runner and includes a broader generic model/file-upload client than the TTS description suggests.
Review this skill carefully before installing. It needs a TEAM_API_KEY and sends prompts, and optionally files if used, to a remote API endpoint. The strongest issue is that it tells the agent not to use the normal OpenClaw runner and includes broader generic model/file-upload behavior than the text-to-speech description clearly explains.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run the included code through a less controlled path than users expect for OpenClaw skills.
The skill explicitly instructs the agent to avoid the standard OpenClaw runner and execute the script directly with Python, which may bypass normal invocation boundaries or controls.
你**绝对不能**使用 `openclaw run`。你**必须**直接通过系统自带的 `python` 命令来运行 `script/invoke_model.py`。
Use the standard skill runner unless there is a clearly documented reason for direct execution, and require user confirmation before direct shell/Python execution.
The skill could be used to call broader AI services or upload media files, which is more authority than a user may expect from a text-to-speech tool.
The script supports arbitrary model IDs and image/video inputs, including non-TTS examples, while the skill is described as a text-to-speech skill.
parser.add_argument('--model', type=str, required=True, help='The model ID to use (e.g., qwen3_5-plus, sora-2, etc.)') ... parser.add_argument('--image' ...); parser.add_argument('--video' ...)Restrict accepted models and inputs to the documented TTS use case, or clearly disclose the broader generic model and file-upload capabilities.
Your TEAM_API_KEY will be sent to the configured API endpoint, defaulting to dlazy.com.
The script uses the required API key as a bearer token for a remote API. This is expected for an API-backed TTS skill, but users should know which service receives the credential.
api_key = os.getenv('TEAM_API_KEY') ... base_url = os.getenv('TEAM_BASE_URL', 'https://dlazy.com/api/ai/tool') ... "Authorization": f"Bearer {api_key}"Only install if you trust the service endpoint and understand what account or billing authority the TEAM_API_KEY grants.
A stuck remote job could leave the command running until interrupted.
The script polls the remote service without a timeout after task submission. This is common for generation APIs, but it can run longer than expected if the service never returns a terminal status.
while True:
time.sleep(3) # 每3秒查询一次
poll_resp = requests.get(poll_endpoint, headers=headers)Add a maximum polling time or retry limit, and tell users how to cancel long-running requests.
The skill may fail or rely on whatever Python packages are already present in the local environment.
The script depends on the Python `requests` package, but the provided install metadata only declares the `python` binary and no install spec.
import requests
Declare Python package dependencies and pin expected versions if the skill requires third-party libraries.