← 返回 Skills 市场

Img2img

Name: Img2img
Author: binkosun

作者 Binko · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

251

总下载

当前安装

版本数

在 OpenClaw 中安装

/install img2img

功能描述

Generate images from text descriptions using DALL-E 3 while adhering to usage policies and avoiding realistic human faces.

使用说明 (SKILL.md)

img2img - 图生图能力

触发条件

当用户提到"图生图"、"AI 画图"、"生成图片"、"画一个"等时激活。

功能

使用 DALL-E 根据文字描述生成图片。

使用方式

用户发送描述文字，我调用 DALL-E 生成图片并发送。

技术实现

使用 OpenAI DALL-E 3 API 生成图片：

import openai
import base64
import os

api_key = os.environ.get("API_KEY")

client = openai.OpenAI(api_key=api_key)

response = client.images.generate(
  model="dall-e-3",
  prompt="描述文字",
  size="1024x1024",
  quality="standard",
  n=1,
)

image_url = response.data[0].url

限制

英文描述效果更好
避免生成真实人脸
遵守 DALL-E 使用政策

安全使用建议

This skill appears to do what it says (generate images with DALL·E) but has a few red flags you should address before installing or running it with real credentials: (1) The metadata fails to declare the required API_KEY environment variable — treat the skill as needing an OpenAI API key and only provide a key with minimal/scoped privileges. (2) The Node script sets https.Agent({ rejectUnauthorized: false }) and lets callers override the API base URL via BASE_URL / API_BASE_URL — these together let requests (including your API key) be sent to arbitrary servers and accept invalid TLS certs. Either remove or fix that agent option and avoid setting BASE_URL unless you control the endpoint. (3) Review the included code (gen_image.js / gen_image.py) yourself or in an isolated environment, and consider running it with a short-lived or limited key first. (4) If you decide to install, ensure npm packages come from the official registry and consider modifying the Node script to use the default secure agent and to explicitly declare the expected environment variables in the skill metadata. If you want, I can suggest exact code changes to remove the insecure TLS override and add explicit env-var checks.

功能分析

Type: OpenClaw Skill Name: img2img Version: 1.0.0 The skill bundle contains a significant security vulnerability in gen_image.js by explicitly disabling SSL certificate verification (rejectUnauthorized: false), which exposes the API_KEY to Man-in-the-Middle (MITM) attacks. Furthermore, package.json and package-lock.json specify a dependency on 'openai' version 6.32.0; since the official OpenAI Node.js library is currently on version 4.x, this suggests a potential supply chain risk or dependency confusion attempt. While the code logic aligns with the stated purpose of image generation, these high-risk configurations warrant caution.

能力评估

ℹ Purpose & Capability

The name/description match the implementation: both Python and Node scripts call the OpenAI images API to generate images. However the skill metadata declares no required environment variables or primary credential while both the SKILL.md and the provided scripts expect an API key (environment variable API_KEY). That mismatch reduces transparency.

⚠ Instruction Scope

SKILL.md shows using the OpenAI DALL·E API and references API_KEY in its example, but the skill metadata did not declare this required env var. The instructions themselves do not ask the agent to access unrelated files or endpoints, but the included Node code exposes additional runtime configuration (BASE_URL / API_BASE_URL) not described in the docs — granting the agent broader networking targets than the SKILL.md implies.

✓ Install Mechanism

No install spec is provided (instruction-only install), and the package.json + package-lock reference the official npm openai package from the npm registry. There are no downloads from untrusted URLs or extract steps. This is low-to-moderate risk typical for small skills.

⚠ Credentials

Both scripts require an OpenAI API key (API_KEY) although the registry metadata lists none. Additionally, the Node script allows overriding the base URL via BASE_URL/API_BASE_URL and creates an https.Agent with rejectUnauthorized: false — together these allow directing requests (and the API key) to arbitrary endpoints and accepting invalid TLS certificates, which is disproportionate to the stated purpose and introduces an exfiltration vector.

✓ Persistence & Privilege

The skill does not request always:true, does not modify other skills, and has no declared config-paths or system-wide changes. Autonomous invocation is allowed by default but not combined with other elevated privileges here.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install img2img
安装完成后，直接呼叫该 Skill 的名称或使用 /img2img 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release of img2img skill: - Supports generating images from text descriptions using DALL-E 3. - Activates when users request "图生图", "AI 画图", or similar image generation phrases. - Responds by sending back an image based on user-provided prompts. - Notes improved results with English prompts and restricts realistic human faces. - Complies with DALL-E usage policies.

元数据

Slug img2img

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题

Img2img 是什么？

Generate images from text descriptions using DALL-E 3 while adhering to usage policies and avoiding realistic human faces. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 251 次。

如何安装 Img2img？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install img2img」即可一键安装，无需额外配置。

Img2img 是免费的吗？

是的，Img2img 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Img2img 支持哪些平台？

Img2img 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Img2img？

由 Binko（@binkosun）开发并维护，当前版本 v1.0.0。