nano-banana、gpt-image
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: vapi-image-gen Version: 1.0.1 The vapi-image-gen skill is a standard implementation for generating and editing images using an OpenAI-compatible API (VAPI). The Python script (scripts/gen.py) uses the built-in urllib library to handle API requests and local file operations, including downloading images for editing and saving results to documented directories (~/.openclaw/media/). No evidence of data exfiltration, malicious execution, or prompt injection was found; the code's behavior aligns strictly with its stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Image generation or editing requests are made under the user's VAPI account and may consume quota or incur charges.
The script sends the configured VAPI API key as a bearer token when calling the image API. This is expected for the stated service, but it gives the skill authenticated API access.
headers={"Authorization": f"Bearer {api_key}", "Content-Type": "application/json"}Use a VAPI key with the minimum needed privileges and verify that VAPI_BASE_URL is the intended provider endpoint.
If the agent uses edit mode, the chosen input image may be uploaded to VAPI for processing.
The script can enter edit mode and upload a user-specified local image path or downloaded image URL to VAPI's /images/edits endpoint. This is aligned with image editing, but users should notice that selected images leave the local machine.
ap.add_argument("--input", default="", help="Input image path or URL for editing (enables edit mode).")Only provide --input for images you intend to share with VAPI, and have the agent ask before uploading local/private images.
Generated images may be stored on disk instead of only returned as URLs.
The skill can write generated image files locally when save-related options are used, and gpt-image models are always saved because the API returns base64 data. This is disclosed and purpose-aligned.
`--save`: save to `~/.openclaw/media/`; `--oss`: save to `~/.openclaw/oss/`; gpt-image models always save to media/
Use the default URL-only mode when you do not want local files, and review any custom output directory before saving.