fame graphic
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a straightforward OpenAI image-generation helper, with expected API-key/network use and local output files, but users should review a few setup and output-safety notes.
Use this skill if you are comfortable sending your image prompts to OpenAI or your configured OpenAI-compatible endpoint. Keep the API key scoped and private, verify any OPENAI_BASE_URL setting, and treat generated index.html files cautiously if prompts came from untrusted sources.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your OpenAI API key and prompts are sent to OpenAI, or to whatever OpenAI-compatible base URL is configured in the environment.
The helper sends the OpenAI API key as a bearer token to the default or environment-configured API endpoint. This is expected for image generation, but the endpoint and key handling should be trusted.
os.environ.get("OPENAI_BASE_URL") or os.environ.get("OPENAI_API_BASE") or "https://api.openai.com" ... "Authorization": f"Bearer {api_key}"Use a scoped OpenAI key, prefer environment-based secret handling, and verify OPENAI_BASE_URL/OPENAI_API_BASE before running the script.
Some installation paths may not include the documented helper script, making it harder to confirm you are running the reviewed code.
The package metadata only lists SKILL.md even though SKILL.md references a helper script and the manifest includes scripts/illustrate.py. This is a packaging/setup coherence gap, not evidence of malicious behavior.
"files": [
"SKILL.md"
]The publisher should include the script in package metadata and declare Python/OpenAI-key requirements; users should run only the script included with the reviewed skill.
A malicious or untrusted prompt could affect the local gallery page when opened.
Prompt and subject text are inserted into the generated HTML gallery without HTML escaping. If untrusted prompt text contains markup and the user opens index.html, that markup could run in the browser context.
html.append("<h3>" + meta.get("subject", "Illustration") + "</h3>") ... html.append(f"<pre>{it['prompt']}</pre>")Escape prompt, subject, and metadata values before writing index.html, and avoid opening galleries generated from untrusted prompt text.