Image Gen Compare
ReviewAudited by ClawScan on May 10, 2026.
Overview
The image comparison function is mostly coherent, but it can save generated images to a cloud-synced Proton Drive folder and uses local credential tooling in ways users should review first.
Review and, if needed, edit the output directory before running, especially if you do not want generated images synced to Proton Drive. Use a narrowly scoped OpenAI key or 1Password service account, and remember that prompts sent to paid cloud models and stored in runs.json may contain sensitive project information.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Generated images could be synced to a cloud drive unexpectedly, which may expose private prompts or generated content beyond the local workspace.
The script automatically prefers a hard-coded cloud-synced Proton Drive location when that folder exists, while SKILL.md only presents the workspace image output behavior.
# Save to Proton Drive Artifacts (synced, visible in Proton Drive app) _PROTON = Path.home() / "Library/CloudStorage/ProtonDrive-user@proton.me-folder/Artifacts/images" OUTPUT_DIR = _PROTON / _today if _PROTON.parent.exists() else WORKSPACE / "content" / "images"
Make the output directory explicit, default to the workspace, and require a clear user option before writing to any cloud-synced folder.
This is expected for an OpenAI integration, but it gives the skill access to sensitive credential plumbing if the fallback path is used.
The script can read a local 1Password service token file and use the 1Password CLI to retrieve an OpenAI API key.
token_path = Path.home() / ".config/openclaw/.op-service-token" env["OP_SERVICE_ACCOUNT_TOKEN"] = token_path.read_text().strip() ["op", "read", "op://OpenClaw/OpenAI API Key/credential"]
Prefer using an explicitly provided OPENAI_API_KEY, document the 1Password fallback clearly, and ensure the service account is scoped only to the needed OpenAI credential.
Prompts and generation history may remain on disk after use, which could matter if prompts contain sensitive project details.
The script persistently stores run metadata, and each result includes the prompt, generated file path, timestamp, cost, and latency.
RUNS_LOG = WORKSPACE / "content" / "images" / "runs.json" ... runs.append(result) RUNS_LOG.write_text(json.dumps(runs, indent=2))
Tell users exactly what is logged, provide a cleanup option, and avoid entering sensitive text unless persistence is acceptable.
First use may download large external model files and depends on packages the registry does not fully describe.
Local generation depends on external Python packages and large model downloads, but there is no install spec or pinned dependency list in the provided artifacts.
raise RuntimeError("mflux not installed. Run: pip install mflux")
...
print(" (First run: downloads ~9GB model from HuggingFace — grab a coffee)")
...
StableDiffusionXLPipeline.from_pretrained("stabilityai/stable-diffusion-xl-base-1.0"Declare optional dependencies, model sources, expected download sizes, and versions so users can review them before running.