Filtrix Image Generation
v1.0.0Generate images using AI providers (OpenAI gpt-image-1, Google Gemini, fal.ai). Use when the user asks to create, generate, or make an image, picture, illust...
⭐ 0· 334·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's code and SKILL.md clearly implement image generation/editing via OpenAI, Google Gemini, and fal.ai and legitimately need provider API keys. However, the registry metadata lists no required environment variables or primary credential while the SKILL.md and scripts require OPENAI_API_KEY, GOOGLE_API_KEY, and FAL_KEY. That metadata omission is an inconsistency that reduces transparency.
Instruction Scope
The SKILL.md instructions are scoped to generating or editing images and explicitly tell the agent to use the included scripts and set provider API keys. The scripts only access user-supplied image files, the declared provider APIs, and the filtrix.ai prompts page. One operational note: the scripts will fetch image URLs returned by providers (i.e., they may download remote content the provider returns), which is expected for this domain but worth knowing.
Install Mechanism
There is no install spec (lowest risk), and the code claims no pip dependencies and indeed uses only Python stdlib. However, the package includes two executable Python scripts (generate.py, edit.py) that will run locally — the lack of an install step doesn't remove execution risk from arbitrary code bundled with the skill.
Credentials
The environment/credential requirements in the SKILL.md (OPENAI_API_KEY, GOOGLE_API_KEY, FAL_KEY) are proportionate to the stated purpose. The problem is registry metadata not declaring these required env vars or a primary credential, which is misleading. Also note: these API keys are billing-capable credentials for third-party services — granting them lets the skill perform networked calls that may incur charges.
Persistence & Privilege
The skill is not always-enabled and is user-invocable; it does not request persistent system-wide privileges, nor does it modify other skills or system configuration. Autonomous invocation is allowed (platform default) but not combined with any other elevated privilege here.
What to consider before installing
This skill appears to do what it says (multi-provider image generation) but has a few transparency issues you should address before installing: 1) The SKILL.md and included scripts require API keys (OPENAI_API_KEY, GOOGLE_API_KEY, FAL_KEY) but the registry metadata doesn't declare them — expect to provide those keys as environment variables. 2) The package contains executable Python scripts from an unknown source and no homepage; review the scripts (generate.py and edit.py) yourself or run them in an isolated environment. 3) Use non-production or limited-permission API keys where possible, because keys can incur charges when used. 4) If you need stronger assurance, ask the publisher for a homepage, contact information, or a signed release, or run the code in a sandbox and test with dummy keys first. If you accept these caveats, the functionality is coherent; if not, do not install or run the scripts.Like a lobster shell, security has layers — review code before you run it.
latestvk976wwxr84gcghbsjbeby937g981r3n7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.