Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Openai Image Gen
v1.0.2Batch-generate images via OpenAI Images API. Random prompt sampler + `index.html` gallery.
⭐ 0· 526·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The script and SKILL.md both implement batch image generation via the OpenAI Images API (prompts → API calls → PNGs + index.html). That functionality aligns with the skill name and description. However, registry metadata claims no required env vars while SKILL.md and scripts require OPENAI_API_KEY (and optionally OPENAI_BASE_URL / OPENAI_API_BASE). The _meta.json ownerId/version/publishedAt values do not match the registry metadata, indicating sloppy or inconsistent packaging.
Instruction Scope
SKILL.md instructs running the included Python script and opening the generated index.html; the script only talks to the OpenAI API and (if returned) downloads image URLs from whatever the API returns. The instructions reference a hard-coded path (~/Projects/agent-scripts/skills/openai-image-gen/scripts/gen.py) and output locations (~/Projects/tmp/...) which may not match the skill's installed location — this is an operational mismatch but not direct malicious behavior. The instructions do not ask the agent to read unrelated files or exfiltrate data.
Install Mechanism
There is no install spec; this is instruction + a Python script. No package downloads or extract steps are present, minimizing install-time risk. The script uses only stdlib modules and writes output files locally.
Credentials
The script requires an OPENAI_API_KEY at runtime (and optionally reads OPENAI_BASE_URL / OPENAI_API_BASE). The registry metadata lists no required env vars, which is inconsistent and deceptive. Requiring an API key for this purpose is reasonable, but the manifest/instructions mismatch should be corrected and the user should be aware they'll need to provide a valid OpenAI key (which will be sent to the configured base URL).
Persistence & Privilege
The skill is not always-enabled, does not request elevated privileges, and does not modify other skills or global agent configuration. It writes files to standard user paths (~/Projects/tmp or ./tmp) which is expected for a generator tool.
What to consider before installing
This skill appears to do what it says (batch-generate images using the OpenAI Images API), but there are a few red flags to address before installing/using it: (1) you must provide an OPENAI_API_KEY (the registry incorrectly claims none required) — only use a key with appropriate quota and consider a key with limited permissions; (2) packaging metadata (owner/version/timestamps) is inconsistent, which could indicate sloppy publishing — review the code yourself before running; (3) SKILL.md uses hard-coded file paths for running and output that may not match your environment — run the included script directly from the skill directory or adjust paths; (4) the script will POST prompts and your API key to the configured API base and may download image URLs returned by that API — if you plan to run this in a sensitive environment, run it in an isolated container or VM and inspect network traffic. If you want a stronger assurance, ask the publisher to fix the manifest to declare required env vars and provide matching metadata, or request an explanation for the discrepancies.Like a lobster shell, security has layers — review code before you run it.
latestvk976kk786wdjgvd0b6andydmns8193s9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.