← Back to Skills Marketplace
251
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install img2img
Description
Generate images from text descriptions using DALL-E 3 while adhering to usage policies and avoiding realistic human faces.
README (SKILL.md)
img2img - 图生图能力
触发条件
当用户提到"图生图"、"AI 画图"、"生成图片"、"画一个"等时激活。
功能
使用 DALL-E 根据文字描述生成图片。
使用方式
用户发送描述文字,我调用 DALL-E 生成图片并发送。
技术实现
使用 OpenAI DALL-E 3 API 生成图片:
import openai
import base64
import os
api_key = os.environ.get("API_KEY")
client = openai.OpenAI(api_key=api_key)
response = client.images.generate(
model="dall-e-3",
prompt="描述文字",
size="1024x1024",
quality="standard",
n=1,
)
image_url = response.data[0].url
限制
- 英文描述效果更好
- 避免生成真实人脸
- 遵守 DALL-E 使用政策
Usage Guidance
This skill appears to do what it says (generate images with DALL·E) but has a few red flags you should address before installing or running it with real credentials: (1) The metadata fails to declare the required API_KEY environment variable — treat the skill as needing an OpenAI API key and only provide a key with minimal/scoped privileges. (2) The Node script sets https.Agent({ rejectUnauthorized: false }) and lets callers override the API base URL via BASE_URL / API_BASE_URL — these together let requests (including your API key) be sent to arbitrary servers and accept invalid TLS certs. Either remove or fix that agent option and avoid setting BASE_URL unless you control the endpoint. (3) Review the included code (gen_image.js / gen_image.py) yourself or in an isolated environment, and consider running it with a short-lived or limited key first. (4) If you decide to install, ensure npm packages come from the official registry and consider modifying the Node script to use the default secure agent and to explicitly declare the expected environment variables in the skill metadata. If you want, I can suggest exact code changes to remove the insecure TLS override and add explicit env-var checks.
Capability Analysis
Type: OpenClaw Skill
Name: img2img
Version: 1.0.0
The skill bundle contains a significant security vulnerability in gen_image.js by explicitly disabling SSL certificate verification (rejectUnauthorized: false), which exposes the API_KEY to Man-in-the-Middle (MITM) attacks. Furthermore, package.json and package-lock.json specify a dependency on 'openai' version 6.32.0; since the official OpenAI Node.js library is currently on version 4.x, this suggests a potential supply chain risk or dependency confusion attempt. While the code logic aligns with the stated purpose of image generation, these high-risk configurations warrant caution.
Capability Assessment
Purpose & Capability
The name/description match the implementation: both Python and Node scripts call the OpenAI images API to generate images. However the skill metadata declares no required environment variables or primary credential while both the SKILL.md and the provided scripts expect an API key (environment variable API_KEY). That mismatch reduces transparency.
Instruction Scope
SKILL.md shows using the OpenAI DALL·E API and references API_KEY in its example, but the skill metadata did not declare this required env var. The instructions themselves do not ask the agent to access unrelated files or endpoints, but the included Node code exposes additional runtime configuration (BASE_URL / API_BASE_URL) not described in the docs — granting the agent broader networking targets than the SKILL.md implies.
Install Mechanism
No install spec is provided (instruction-only install), and the package.json + package-lock reference the official npm openai package from the npm registry. There are no downloads from untrusted URLs or extract steps. This is low-to-moderate risk typical for small skills.
Credentials
Both scripts require an OpenAI API key (API_KEY) although the registry metadata lists none. Additionally, the Node script allows overriding the base URL via BASE_URL/API_BASE_URL and creates an https.Agent with rejectUnauthorized: false — together these allow directing requests (and the API key) to arbitrary endpoints and accepting invalid TLS certificates, which is disproportionate to the stated purpose and introduces an exfiltration vector.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and has no declared config-paths or system-wide changes. Autonomous invocation is allowed by default but not combined with other elevated privileges here.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install img2img - After installation, invoke the skill by name or use
/img2img - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of img2img skill:
- Supports generating images from text descriptions using DALL-E 3.
- Activates when users request "图生图", "AI 画图", or similar image generation phrases.
- Responds by sending back an image based on user-provided prompts.
- Notes improved results with English prompts and restricts realistic human faces.
- Complies with DALL-E usage policies.
Metadata
Frequently Asked Questions
What is Img2img?
Generate images from text descriptions using DALL-E 3 while adhering to usage policies and avoiding realistic human faces. It is an AI Agent Skill for Claude Code / OpenClaw, with 251 downloads so far.
How do I install Img2img?
Run "/install img2img" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Img2img free?
Yes, Img2img is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Img2img support?
Img2img is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Img2img?
It is built and maintained by Binko (@binkosun); the current version is v1.0.0.
More Skills