gpt image 2 generation
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who obtains the key could potentially use the user's WellAPI account or credits.
The skill needs a WellAPI credential, may store it locally, and sends it as a bearer token to the WellAPI endpoint. This is expected for the service integration but is sensitive authority.
The user must supply a WellAPI key... `~/.config/gpt-image-2-generation/config.json`... `Authorization: Bearer <WELLAPI_API_KEY>`
Use a dedicated, revocable WellAPI key; avoid sharing it in untrusted contexts; rotate it if exposed; and remove the local config file if you no longer want the skill to use it.
Image prompts are sent to WellAPI, and generated files can be created or overwritten at the selected output path.
The script makes an external API call and writes returned image bytes to disk. These capabilities match the stated purpose, but they are still meaningful actions in the user's environment.
API_URL = "https://wellapi.ai/v1/images/generations" ... path.parent.mkdir(parents=True, exist_ok=True) ... path.write_bytes(data)
Only send prompts you are comfortable sharing with WellAPI, and use an output path that does not overwrite important files.
Users have less external context for the publisher or update history of a skill that handles an API key.
The registry metadata does not provide a source repository or homepage, which limits external provenance verification even though the bundled code is visible in the supplied artifacts.
Source: unknown Homepage: none
Review the bundled scripts before use and prefer a revocable API key with limited value.