Use when the user wants GPT-Image-2 image generation or image-to-image through an official OpenAI permission code/API key, a custom Responses-compatible prox...
Security Analysis
high confidenceThe skill's files, instructions, and required tools are consistent with an image-generation CLI that supports official, proxy, and reserved relay modes; nothing in the package asks for unrelated credentials or hidden installs.
The name/description promise GPT-Image-2 image generation and the package contains a Node CLI that implements official, proxy, and reserved relay flows. The only declared runtime dependency is node, which is appropriate for a JavaScript CLI. Required binaries/env vars are not declared because the script accepts API keys and endpoints as arguments or common environment variables — this matches the stated purpose.
SKILL.md and the CLI instruct the agent to build Responses payloads, stream SSE, decode base64 images, and write PNG files. The CLI reads/writes a local state file at ~/.openclaw/autoGenImageSkill/state.json and accepts local image paths for image-to-image — both are reasonable for session persistence and image input, but you should note that session data (IDs/tokens returned by a relay) may be stored locally. The tool will send user prompts and images to whichever endpoint you supply (official OpenAI API, custom proxy, or a third‑party relay), so trust in the endpoint is required. The instructions explicitly advise not to echo secrets.
There is no install spec beyond requiring node and shipping the CLI script. No remote downloads or archive extraction are performed by the package. This is a low-risk install model: the code runs from the skill folder using an existing node binary.
The skill declares no required env vars (correct for an argument-driven CLI) but documents common variables (OPENAI_API_KEY, GPT_IMAGE_BASE_URL, GPT_IMAGE_API_KEY, GPT_IMAGE_RELAY_URL, GPT_IMAGE_PURCHASE_KEY, etc.). Those variables are proportional to the three supported access modes. The package does not request unrelated credentials (no cloud provider keys or system secrets). Be aware the script may persist session-related data to its state file if you use reserved mode.
always:false (normal). The CLI creates and writes a state file under the user's home (~/.openclaw/...), which is scoped to the skill but is persistent. agents/openai.yaml sets allow_implicit_invocation: true (the skill may be implicitly invoked by the agent when eligible) — this is standard but worth noting: if you allow autonomous agents, they can call the skill without each-call confirmation. The skill does not modify other skills or global agent config.
Guidance
This skill is coherent with its stated purpose, but before installing you should: (1) confirm you will supply API keys only to endpoints you trust (official OpenAI endpoints or a known proxy/relay); (2) avoid using unknown third‑party relay URLs or purchase keys unless you trust the operator, because prompts and input images will be sent there; (3) know the CLI will write state to ~/.openclaw/autoGenImageSkill/state.json (session tokens or IDs returned by a relay could be stored there) — inspect or remove that file if needed; (4) review the CLI source (scripts/gpt_image_cli.js) if you need to be certain it doesn’t log secrets in your environment; and (5) if you plan to let agents invoke skills autonomously, restrict use to trusted agents or disable implicit/autonomous invocation in your agent policy. Overall the package looks consistent and not requesting unrelated privileges or hidden installs.
Latest Release
v0.1.2
Rename the OpenClaw skill display and source root to autoGenImageSkill.
More by @etherstrings
Published by @etherstrings on ClawHub
