gpt image 2 generation
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears purpose-aligned for generating images with WellAPI, but it requires a WellAPI API key, sends prompts to WellAPI, and saves credentials/images locally.
This skill is reasonable for WellAPI-based image generation. Before installing, be comfortable with providing a WellAPI API key, sending image prompts to wellapi.ai, and allowing the skill to save generated image files locally. Use a dedicated key you can rotate, and choose output paths carefully.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who obtains the key could potentially use the user's WellAPI account or credits.
The skill needs a WellAPI credential, may store it locally, and sends it as a bearer token to the WellAPI endpoint. This is expected for the service integration but is sensitive authority.
The user must supply a WellAPI key... `~/.config/gpt-image-2-generation/config.json`... `Authorization: Bearer <WELLAPI_API_KEY>`
Use a dedicated, revocable WellAPI key; avoid sharing it in untrusted contexts; rotate it if exposed; and remove the local config file if you no longer want the skill to use it.
Image prompts are sent to WellAPI, and generated files can be created or overwritten at the selected output path.
The script makes an external API call and writes returned image bytes to disk. These capabilities match the stated purpose, but they are still meaningful actions in the user's environment.
API_URL = "https://wellapi.ai/v1/images/generations" ... path.parent.mkdir(parents=True, exist_ok=True) ... path.write_bytes(data)
Only send prompts you are comfortable sharing with WellAPI, and use an output path that does not overwrite important files.
Users have less external context for the publisher or update history of a skill that handles an API key.
The registry metadata does not provide a source repository or homepage, which limits external provenance verification even though the bundled code is visible in the supplied artifacts.
Source: unknown Homepage: none
Review the bundled scripts before use and prefer a revocable API key with limited value.