Generate product photos for ecommerce

This skill appears to do what it claims (a ProductAI.photo client and CLI). Before installing or handing over an API key, consider the following: - Don't paste a production API key into an untrusted chat or agent; prefer a test key or token with limited quota while validating the skill. Rotate the key if it is exposed. - The setup saves your API key to ~/.openclaw/workspace/productai/config.json with 0o600 permissions (script enforces this). That is standard for CLI tools but still means any local process with your user privileges can read it. - The code performs basic SSRF protection by blocking HTTP and obvious private hostnames, but hostname-only checks can be bypassed if a hostname resolves to a private IP. If you will supply untrusted input for image URLs, review or harden URL-to-IP resolution checks (resolve DNS and verify IP ranges) before production use. - Generated image URLs returned by the API are downloaded without additional URL validation; if you have concerns, inspect returned URLs before download or add validation for domains you trust. - Minor inconsistencies exist (e.g., setup.py default model string differs from other docs: 'nano-banana-2' vs 'nanobanana', and package.json lists Python deps in an npm manifest). These look like documentation/config mismatches rather than malicious behavior, but you may want to correct them. Recommended steps before trusting this skill: review the productai_client.py and setup.py locally, test with a low-privilege/test API key, monitor your ProductAI dashboard for unexpected usage, and consider applying additional SSRF protections if you will process untrusted image URLs.