Chaoji Skills

The skill's name/description (routing to ChaoJi scene skills for try-on, cutout, img2img and a tools runner) matches what the code and per-scene SKILL.md files request: CHAOJI_AK/CHAOJI_SK and read access to ~/.chaoji/credentials.json and a python runtime. However the registry-level summary at the top of the package claims 'Required env vars: none' and 'Required binaries: none' while the runtime SKILL.md and scene SKILL.md files plainly declare python and CHAOJI_AK/CHAOJI_SK. Also the package is not truly 'instruction-only' as code files (chaoji-tools, executor, run_command, and many scripts) are present — that mismatch should be corrected or explained.

The SKILL.md routing instructions and per-scene SKILL.md files limit actions to calling the ChaoJi API via the internal Python runner, uploading images to OSS when needed, and reading/writing within ~/.openclaw/workspace/chaoji/ and output dirs. Those operations are coherent with the stated purpose. Items to review: (1) several scene skills read project-local preference/memory files (~/.openclaw/workspace/chaoji/PREFERENCE.md and memory/tryon.md) — these can contain sensitive project data; (2) chaoji-tools supports 'direct command execution' when the user supplies a command name/JSON — ensure that run_command and executor only accept a fixed registry of safe commands and cannot be tricked into running arbitrary system commands or exfiltrating data; (3) SKILL.md asserts