image generation gpt image
PassAudited by ClawScan on May 16, 2026.
Overview
This is a coherent WellAPI image-generation skill, but users should notice it uses a WellAPI API key, can upload selected local images for editing, and has some listing/package metadata mismatches.
Before installing, confirm you trust WellAPI and the ClawHub listing, set a dedicated WELLAPI_API_KEY if possible, and only provide image files you are willing to upload to the provider.
Publisher note
This skill calls a single third-party HTTPS endpoint, https://wellapi.ai/v1/images/{generations,edits}, to generate or edit images via the WellAPI gpt-image-2 model. It reads the WELLAPI_API_KEY environment variable (declared in metadata.openclaw.requires.env / primaryEnv) and sends it as an Authorization: Bearer header. No other network destinations are contacted. The skill writes the decoded base64 image bytes to the current working directory as wellapi-<timestamp>.<png|jpg|jpeg|webp>; filenames are sanitized with `tr -cd 'A-Za-z0-9._-'` and the extension is whitelisted before any shell interpolation. No telemetry, no analytics, no background tasks.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with the key may be able to use the associated WellAPI account or consume paid quota.
The skill requires a WellAPI API key and sends it to the stated provider as a bearer token; this is expected for the integration but is still a sensitive credential.
Authentication: `Authorization: Bearer <WELLAPI_API_KEY>` header.
Use a dedicated WellAPI key if possible, store it in the environment rather than sharing it broadly in chat, and rotate it if it is exposed.
Private or sensitive images selected for editing would be uploaded to the third-party provider.
For image editing, the skill sends user-provided local image files to WellAPI. The destination and limits are disclosed, but the files still leave the local machine.
`image` | file (repeatable) | ✅ | One or more input images. **Up to 16 images, total ≤ 50MB.**
Only attach images you are comfortable sending to WellAPI, and verify file paths before running image-edit requests.
Users may have less certainty that the listing identity and packaged artifact refer to the same published version.
The package metadata differs from the supplied registry metadata, which lists a different owner ID, slug, and version. This is a provenance/listing consistency issue, not evidence of malicious behavior.
"ownerId": "kn74p4xy6sja0199cea53anecs81kqjs", "slug": "best-image-generation", "version": "1.0.2"
Verify the skill identity on ClawHub and prefer publishers that keep registry metadata, SKILL.md, and _meta.json aligned.