ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

autoGenImageSkill

v0.1.2

Use when the user wants GPT-Image-2 image generation or image-to-image through an official OpenAI permission code/API key, a custom Responses-compatible prox...

0· 25·0 current·0 all-time
byWu Bo Yu@etherstrings

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for etherstrings/autogenimageskill.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "autoGenImageSkill" (etherstrings/autogenimageskill) from ClawHub.
Skill page: https://clawhub.ai/etherstrings/autogenimageskill
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: node
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install etherstrings/autogenimageskill

ClawHub CLI

Package manager switcher

npx clawhub@latest install autogenimageskill
Security Scan
Capability signals
CryptoCan make purchasesRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description promise GPT-Image-2 image generation and the package contains a Node CLI that implements official, proxy, and reserved relay flows. The only declared runtime dependency is node, which is appropriate for a JavaScript CLI. Required binaries/env vars are not declared because the script accepts API keys and endpoints as arguments or common environment variables — this matches the stated purpose.
Instruction Scope
SKILL.md and the CLI instruct the agent to build Responses payloads, stream SSE, decode base64 images, and write PNG files. The CLI reads/writes a local state file at ~/.openclaw/autoGenImageSkill/state.json and accepts local image paths for image-to-image — both are reasonable for session persistence and image input, but you should note that session data (IDs/tokens returned by a relay) may be stored locally. The tool will send user prompts and images to whichever endpoint you supply (official OpenAI API, custom proxy, or a third‑party relay), so trust in the endpoint is required. The instructions explicitly advise not to echo secrets.
Install Mechanism
There is no install spec beyond requiring node and shipping the CLI script. No remote downloads or archive extraction are performed by the package. This is a low-risk install model: the code runs from the skill folder using an existing node binary.
Credentials
The skill declares no required env vars (correct for an argument-driven CLI) but documents common variables (OPENAI_API_KEY, GPT_IMAGE_BASE_URL, GPT_IMAGE_API_KEY, GPT_IMAGE_RELAY_URL, GPT_IMAGE_PURCHASE_KEY, etc.). Those variables are proportional to the three supported access modes. The package does not request unrelated credentials (no cloud provider keys or system secrets). Be aware the script may persist session-related data to its state file if you use reserved mode.
Persistence & Privilege
always:false (normal). The CLI creates and writes a state file under the user's home (~/.openclaw/...), which is scoped to the skill but is persistent. agents/openai.yaml sets allow_implicit_invocation: true (the skill may be implicitly invoked by the agent when eligible) — this is standard but worth noting: if you allow autonomous agents, they can call the skill without each-call confirmation. The skill does not modify other skills or global agent config.
Assessment
This skill is coherent with its stated purpose, but before installing you should: (1) confirm you will supply API keys only to endpoints you trust (official OpenAI endpoints or a known proxy/relay); (2) avoid using unknown third‑party relay URLs or purchase keys unless you trust the operator, because prompts and input images will be sent there; (3) know the CLI will write state to ~/.openclaw/autoGenImageSkill/state.json (session tokens or IDs returned by a relay could be stored there) — inspect or remove that file if needed; (4) review the CLI source (scripts/gpt_image_cli.js) if you need to be certain it doesn’t log secrets in your environment; and (5) if you plan to let agents invoke skills autonomously, restrict use to trusted agents or disable implicit/autonomous invocation in your agent policy. Overall the package looks consistent and not requesting unrelated privileges or hidden installs.
scripts/gpt_image_cli.js:76
Environment variable access combined with network send.
!
scripts/gpt_image_cli.js:79
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsnode
latestvk9720xxe4zk5r05rndybq72t5d85kynt
25downloads
0stars
1versions
Updated 4h ago
v0.1.2
MIT-0
Wu Bo Yu@etherstrings
latest
Download

autoGenImageSkill

Overview

Use this OpenClaw skill to generate PNG images with the local gpt_image relay pattern: a Responses API request uses text model gpt-5.4 plus an image_generation tool using gpt-image-2, then writes the returned base64 image to disk. The bundled CLI exposes three access paths so agents can pick the right entry without rewriting fetch/SSE/image decoding logic.

The main script is scripts/gpt_image_cli.js. Run it with Node 18+. In OpenClaw, reference it as {baseDir}/scripts/gpt_image_cli.js so the command works wherever the skill folder is located.

External pages:

  • ClawHub / OpenClaw: https://clawhub.ai/Etherstrings/autogenimageskill
  • Hermes Agent GitHub skill source: https://github.com/Etherstrings/autoGenImageSkill/tree/main/autoGenImageSkill

赞助支持

  • 爱发电: https://ifdian.net/a/etherstrings
  • GitHub donate section: https://github.com/Etherstrings/autoGenImageSkill#donate

Alipay:

Alipay QR

WeChat Pay:

WeChat Pay QR

Access Choice

  1. Use official when the user provides an official OpenAI permission code/API key or explicitly wants the official API path.
  2. Use proxy when the user provides a custom base_url, proxy endpoint, provider name, or third-party Responses-compatible API key.
  3. Use reserved when the user wants to use the creator's reserved capacity, purchase/redeem a key, check quota, or call the relay service that exposes /api/session, /api/keys, and /api/generate/jobs.

Do not echo API keys, permission codes, purchase keys, or provider tokens back to the user. Use environment variables or shell variables in examples.

Quick Commands

Official API key / permission code:

node {baseDir}/scripts/gpt_image_cli.js generate \
  --mode official \
  --permission-code "$OPENAI_API_KEY" \
  --prompt "一张电影感的雨夜赛博城市街景" \
  --output output/cyber-rain.png

Custom proxy:

node {baseDir}/scripts/gpt_image_cli.js generate \
  --mode proxy \
  --base-url "$GPT_IMAGE_BASE_URL" \
  --api-key "$GPT_IMAGE_API_KEY" \
  --prompt "透明背景的可爱机器人贴纸" \
  --size 1024x1024 \
  --output output/robot-sticker.png

Reserved purchased capacity:

node {baseDir}/scripts/gpt_image_cli.js generate \
  --mode reserved \
  --service-url "$GPT_IMAGE_RELAY_URL" \
  --purchase-key "$GPT_IMAGE_PURCHASE_KEY" \
  --prompt "国风水墨质感的未来城市海报" \
  --output output/ink-future-city.png

Image-to-image:

node {baseDir}/scripts/gpt_image_cli.js generate \
  --mode proxy \
  --base-url "$GPT_IMAGE_BASE_URL" \
  --api-key "$GPT_IMAGE_API_KEY" \
  --prompt "保持人物姿势,改成高端杂志封面摄影" \
  --image /absolute/path/reference.png \
  --output output/cover.png

Reserved Flow

For reserved capacity, create or reuse a session before generation when the user wants account persistence:

node {baseDir}/scripts/gpt_image_cli.js session \
  --service-url "$GPT_IMAGE_RELAY_URL" \
  --profile-name "demo-user" \
  --save-session

Redeem a purchase key without generating:

node {baseDir}/scripts/gpt_image_cli.js redeem \
  --service-url "$GPT_IMAGE_RELAY_URL" \
  --purchase-key "$GPT_IMAGE_PURCHASE_KEY" \
  --user-id "$GPT_IMAGE_USER_ID"

Check quota:

node {baseDir}/scripts/gpt_image_cli.js quota \
  --service-url "$GPT_IMAGE_RELAY_URL" \
  --user-id "$GPT_IMAGE_USER_ID"

References

  • Read references/access-modes.md when choosing among official, proxy, and reserved entries or when a user asks how to configure them.
  • Read references/runtime.md when debugging generation, SSE parsing, relay quota, OpenClaw/Hermes packaging, or the relationship to the original gpt_image project.

Output Rules

Always return the absolute output image path and the decisive metadata: access mode, endpoint or relay job ID, provider name when available, byte size, and any revised prompt returned by the model. Keep credentials redacted.

Comments

Loading comments...