Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Img2img
v1.0.0Generate images from text descriptions using DALL-E 3 while adhering to usage policies and avoiding realistic human faces.
⭐ 0· 124·0 current·0 all-time
byBinko@binkosun
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description match the implementation: both Python and Node scripts call the OpenAI images API to generate images. However the skill metadata declares no required environment variables or primary credential while both the SKILL.md and the provided scripts expect an API key (environment variable API_KEY). That mismatch reduces transparency.
Instruction Scope
SKILL.md shows using the OpenAI DALL·E API and references API_KEY in its example, but the skill metadata did not declare this required env var. The instructions themselves do not ask the agent to access unrelated files or endpoints, but the included Node code exposes additional runtime configuration (BASE_URL / API_BASE_URL) not described in the docs — granting the agent broader networking targets than the SKILL.md implies.
Install Mechanism
No install spec is provided (instruction-only install), and the package.json + package-lock reference the official npm openai package from the npm registry. There are no downloads from untrusted URLs or extract steps. This is low-to-moderate risk typical for small skills.
Credentials
Both scripts require an OpenAI API key (API_KEY) although the registry metadata lists none. Additionally, the Node script allows overriding the base URL via BASE_URL/API_BASE_URL and creates an https.Agent with rejectUnauthorized: false — together these allow directing requests (and the API key) to arbitrary endpoints and accepting invalid TLS certificates, which is disproportionate to the stated purpose and introduces an exfiltration vector.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and has no declared config-paths or system-wide changes. Autonomous invocation is allowed by default but not combined with other elevated privileges here.
What to consider before installing
This skill appears to do what it says (generate images with DALL·E) but has a few red flags you should address before installing or running it with real credentials: (1) The metadata fails to declare the required API_KEY environment variable — treat the skill as needing an OpenAI API key and only provide a key with minimal/scoped privileges. (2) The Node script sets https.Agent({ rejectUnauthorized: false }) and lets callers override the API base URL via BASE_URL / API_BASE_URL — these together let requests (including your API key) be sent to arbitrary servers and accept invalid TLS certs. Either remove or fix that agent option and avoid setting BASE_URL unless you control the endpoint. (3) Review the included code (gen_image.js / gen_image.py) yourself or in an isolated environment, and consider running it with a short-lived or limited key first. (4) If you decide to install, ensure npm packages come from the official registry and consider modifying the Node script to use the default secure agent and to explicitly declare the expected environment variables in the skill metadata. If you want, I can suggest exact code changes to remove the insecure TLS override and add explicit env-var checks.Like a lobster shell, security has layers — review code before you run it.
latestvk972v4k11k199dsr34rdhw856x834aa4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.