Openai Image Gen

Batch-generate images via OpenAI Images API. Random prompt sampler + `index.html` gallery.

This skill appears to do what it says (batch-generate images using the OpenAI Images API), but there are a few red flags to address before installing/using it: (1) you must provide an OPENAI_API_KEY (the registry incorrectly claims none required) — only use a key with appropriate quota and consider a key with limited permissions; (2) packaging metadata (owner/version/timestamps) is inconsistent, which could indicate sloppy publishing — review the code yourself before running; (3) SKILL.md uses hard-coded file paths for running and output that may not match your environment — run the included script directly from the skill directory or adjust paths; (4) the script will POST prompts and your API key to the configured API base and may download image URLs returned by that API — if you plan to run this in a sensitive environment, run it in an isolated container or VM and inspect network traffic. If you want a stronger assurance, ask the publisher to fix the manifest to declare required env vars and provide matching metadata, or request an explanation for the discrepancies.

Type: OpenClaw Skill Name: openai-image-gen-fixed Version: 1.0.2 The skill is classified as suspicious due to a Cross-Site Scripting (XSS) vulnerability in `scripts/gen.py`. The `_write_index` function directly embeds user-controlled or API-returned prompt strings into the `index.html` file without proper HTML escaping. If a malicious prompt (e.g., containing `</pre><script>alert(1)</script>`) is provided, it could lead to client-side code execution when the AI agent executes the `open` command on the generated `index.html` as instructed in `SKILL.md`. This constitutes a significant vulnerability, but not intentional malice by the script's author.