← Back to Skills Marketplace
Openai Image Gen
by
saschaSpoonbill
· GitHub ↗
· v1.0.2
659
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install openai-image-gen-fixed
Description
Batch-generate images via OpenAI Images API. Random prompt sampler + `index.html` gallery.
Usage Guidance
This skill appears to do what it says (batch-generate images using the OpenAI Images API), but there are a few red flags to address before installing/using it: (1) you must provide an OPENAI_API_KEY (the registry incorrectly claims none required) — only use a key with appropriate quota and consider a key with limited permissions; (2) packaging metadata (owner/version/timestamps) is inconsistent, which could indicate sloppy publishing — review the code yourself before running; (3) SKILL.md uses hard-coded file paths for running and output that may not match your environment — run the included script directly from the skill directory or adjust paths; (4) the script will POST prompts and your API key to the configured API base and may download image URLs returned by that API — if you plan to run this in a sensitive environment, run it in an isolated container or VM and inspect network traffic. If you want a stronger assurance, ask the publisher to fix the manifest to declare required env vars and provide matching metadata, or request an explanation for the discrepancies.
Capability Analysis
Type: OpenClaw Skill
Name: openai-image-gen-fixed
Version: 1.0.2
The skill is classified as suspicious due to a Cross-Site Scripting (XSS) vulnerability in `scripts/gen.py`. The `_write_index` function directly embeds user-controlled or API-returned prompt strings into the `index.html` file without proper HTML escaping. If a malicious prompt (e.g., containing `</pre><script>alert(1)</script>`) is provided, it could lead to client-side code execution when the AI agent executes the `open` command on the generated `index.html` as instructed in `SKILL.md`. This constitutes a significant vulnerability, but not intentional malice by the script's author.
Capability Assessment
Purpose & Capability
The script and SKILL.md both implement batch image generation via the OpenAI Images API (prompts → API calls → PNGs + index.html). That functionality aligns with the skill name and description. However, registry metadata claims no required env vars while SKILL.md and scripts require OPENAI_API_KEY (and optionally OPENAI_BASE_URL / OPENAI_API_BASE). The _meta.json ownerId/version/publishedAt values do not match the registry metadata, indicating sloppy or inconsistent packaging.
Instruction Scope
SKILL.md instructs running the included Python script and opening the generated index.html; the script only talks to the OpenAI API and (if returned) downloads image URLs from whatever the API returns. The instructions reference a hard-coded path (~/Projects/agent-scripts/skills/openai-image-gen/scripts/gen.py) and output locations (~/Projects/tmp/...) which may not match the skill's installed location — this is an operational mismatch but not direct malicious behavior. The instructions do not ask the agent to read unrelated files or exfiltrate data.
Install Mechanism
There is no install spec; this is instruction + a Python script. No package downloads or extract steps are present, minimizing install-time risk. The script uses only stdlib modules and writes output files locally.
Credentials
The script requires an OPENAI_API_KEY at runtime (and optionally reads OPENAI_BASE_URL / OPENAI_API_BASE). The registry metadata lists no required env vars, which is inconsistent and deceptive. Requiring an API key for this purpose is reasonable, but the manifest/instructions mismatch should be corrected and the user should be aware they'll need to provide a valid OpenAI key (which will be sent to the configured base URL).
Persistence & Privilege
The skill is not always-enabled, does not request elevated privileges, and does not modify other skills or global agent configuration. It writes files to standard user paths (~/Projects/tmp or ./tmp) which is expected for a generator tool.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openai-image-gen-fixed - After installation, invoke the skill by name or use
/openai-image-gen-fixed - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
Fix OpenAI Images API compatibility: remove response_format; support b64_json or url.
Metadata
Frequently Asked Questions
What is Openai Image Gen?
Batch-generate images via OpenAI Images API. Random prompt sampler + `index.html` gallery. It is an AI Agent Skill for Claude Code / OpenClaw, with 659 downloads so far.
How do I install Openai Image Gen?
Run "/install openai-image-gen-fixed" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Openai Image Gen free?
Yes, Openai Image Gen is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Openai Image Gen support?
Openai Image Gen is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Openai Image Gen?
It is built and maintained by saschaSpoonbill (@saschaspoonbill); the current version is v1.0.2.
More Skills