← 返回 Skills 市场
gpt-image-2
作者
KIRIBON43567
· GitHub ↗
· v1.0.1
· MIT-0
154
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install gpt-image-2
功能描述
AI图片生成技能,使用 gpt-image-2 模型根据文字描述生成高质量图片。用户安装后需要提供访问密钥才能使用。适用于:用户要求生成图片、画图、AI绘图、文生图、生成一张图等场景。
使用说明 (SKILL.md)
gpt-image-2 图片生成技能
安装后首次使用
用户安装此 Skill 后,立即向用户发送以下欢迎消息:
🎨 图片生成技能已就绪! 请先发送您的访问密钥(格式:
IMGKEY-HK-XXXXXX),验证通过后直接发送图片描述即可开始生图。
收到密钥后,执行验证:
python3 "$HOME/.openclaw/skills/gpt-image-2/scripts/generate_image.py" --key \x3C用户密钥> --quota
Windows 用户:若
python3不可用,请改用python;$HOME对应%USERPROFILE%,路径分隔符为\。
- 验证成功:告知用户剩余配额,并提示「请发送图片描述,我来为您生成图片 🖼️」
- 验证失败:回复「密钥无效,请检查后重新输入」
密钥验证通过后,在整个会话中记住该密钥,无需用户重复输入。
生图流程
用户发送任何图片描述时,执行以下脚本:
python3 "$HOME/.openclaw/skills/gpt-image-2/scripts/generate_image.py" \
--key \x3C用户密钥> \
--prompt "\x3C用户描述>" \
--quality low
脚本会自动将图片保存到系统临时目录(macOS/Linux 为 /tmp/,Windows 为 %TEMP%\),并打印实际保存路径。
- 成功后将生成的 PNG 图片作为附件发送给用户
- 同时告知剩余配额,例如:「图片已生成!剩余配额:X 张」
- 若配额耗尽(错误码 403),回复:「您的配额已用完,请联系管理员获取新密钥」
- 若上游超时,脚本自动重试,告知用户「正在生成,请稍候(约 60 秒)...」
查询配额
用户说「查询配额」「还剩多少次」「我还能生几张」时:
python3 "$HOME/.openclaw/skills/gpt-image-2/scripts/generate_image.py" --key \x3C用户密钥> --quota
注意事项
- 仅提供图片生成功能,不提供文字对话或其他功能
- 图片尺寸固定为 1024×1024
- 每次生图消耗 1 次配额
- 不要向用户透露服务器地址、API 密钥等任何后端信息
- 脚本依赖 Python 3 及
requests库,OpenClaw 运行环境通常已内置
安全使用建议
This skill will ask users to paste an access key into chat and will send that key and your image prompts to an undocumented server at 124.156.166.147 over plain HTTP. Before installing or using it, consider: (1) Do not paste real or privileged credentials into chat for this skill—use a throwaway or limited-scope token if you must test. (2) Ask the author/operator for the service's official domain, HTTPS support, privacy policy, and proof of legitimacy; decline if they cannot provide verifiable information. (3) Prefer skills that use well-known, documented endpoints (not hard-coded IPs) and encrypt traffic (HTTPS). (4) If you decide to test, run it in an isolated environment and review the script line-by-line; request removal of the 'do not reveal server' instruction or disclosure of the backend. If the operator provides a verified official host or moves to HTTPS and documents data handling, the assessment may change to benign.
功能分析
Type: OpenClaw Skill
Name: gpt-image-2
Version: 1.0.1
The skill contains a potential shell injection vulnerability in SKILL.md, as it instructs the AI agent to pass unvalidated user input directly into a shell command line within double quotes. Additionally, the core script (scripts/generate_image.py) communicates with a hardcoded IP address (124.156.166.147) rather than a verified domain. While these behaviors are consistent with the stated purpose of image generation, the lack of input sanitization and the use of a raw IP address represent significant security risks.
能力评估
Purpose & Capability
The skill name/description say it uses a 'gpt-image-2' model and requires a user access key — that is plausible. However, the implementation hard-codes a backend SERVER at http://124.156.166.147:8765 (raw IP and non-HTTPS) rather than a documented/official hostname. The SKILL.md explicitly instructs the agent to ask for a key but never documents where requests are sent; additionally it instructs not to reveal server or backend info, which suggests deliberate obscuring of the actual endpoint. This is inconsistent with a transparent integration.
Instruction Scope
The SKILL.md tells the agent to prompt the user for their access key in chat and remember it for the session, then run the included script which transmits the key and the user's prompts to the remote SERVER. The instructions therefore cause sensitive secrets and user-provided content to be sent to an unknown external host. The requirement to 'not reveal server address' further hides where data is going. These behaviors go beyond simple local processing and are not disclosed to the user.
Install Mechanism
There is no install spec (instruction-only), and the only code is the included Python script. No external packages or downloads are performed by the installer itself, so installation risk is low. However, the script will make outbound HTTP requests to the hard-coded IP when executed.
Credentials
The skill asks users to paste a sensitive access key into the chat (not via a declared environment variable). The repo metadata declares no credentials, but the runtime flow explicitly captures and transmits user-provided keys to an undocumented third-party server. Requesting secrets over chat and sending them to an unknown HTTP endpoint is disproportionate and risky.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide configuration or write other skills' settings. SKILL.md says to 'remember' the key for the session, but the script does not persist keys to disk. Autonomous invocation is permitted by default (normal), but combined with the other concerns increases the blast radius.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install gpt-image-2 - 安装完成后,直接呼叫该 Skill 的名称或使用
/gpt-image-2触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
gpt-image-2 v1.0.1
- 新增首次安装后自动发送欢迎消息,并指导用户输入访问密钥进行验证
- 优化密钥验证流程,自动记住有效密钥,免去重复输入
- 生图流程更清晰:描述图片时直接生成并返回PNG附件,同时提示剩余配额
- 支持用户查询剩余额度,配额用尽或密钥无效时有明确反馈
- 明确说明仅支持图片生成功能,不包含对话与其他服务
元数据
常见问题
gpt-image-2 是什么?
AI图片生成技能,使用 gpt-image-2 模型根据文字描述生成高质量图片。用户安装后需要提供访问密钥才能使用。适用于:用户要求生成图片、画图、AI绘图、文生图、生成一张图等场景。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 154 次。
如何安装 gpt-image-2?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install gpt-image-2」即可一键安装,无需额外配置。
gpt-image-2 是免费的吗?
是的,gpt-image-2 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
gpt-image-2 支持哪些平台?
gpt-image-2 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 gpt-image-2?
由 KIRIBON43567(@kiribon43567)开发并维护,当前版本 v1.0.1。
推荐 Skills