OpenAI Image CLI

The SKILL.md describes a CLI that uses the OpenAI API and expects an OPENAI_API_KEY and an 'openai-image' binary — that is coherent with an image-generation CLI. However the registry metadata (requirements block shown earlier) lists no required env vars or binaries, while the SKILL.md metadata declares bins: ["openai-image"] and envs: ["OPENAI_API_KEY"]. This mismatch is an incoherence that could cause surprising behavior (the agent may assume no credentials are needed while the runtime expects them).

The instructions are focused on installing and using an external CLI, using local image files, stdin, and a local history/config. They do not direct the agent to exfiltrate arbitrary host files or read unrelated system state. Still, the SKILL.md instructs installation of a third-party npm CLI and expects the agent to invoke that binary — that expands runtime scope beyond an instruction-only skill and should be explicitly declared in the registry.

There is no install spec in the registry, but the SKILL.md tells users to run 'npm install -g @versatly/openai-image-cli'. Relying on a user-installed npm package is a legitimate design choice but the absence of an explicit install spec in the skill metadata is an incoherence. Installing a global npm package pulls code from the public registry (moderate risk); the package and its GitHub repo should be audited before installing.

The only credential actually needed by the CLI is OPENAI_API_KEY, which is appropriate for this purpose. But the registry's declared required env vars is empty while SKILL.md expects OPENAI_API_KEY; this discrepancy could mislead users about credential needs. No other unrelated secrets are requested.

No elevated privileges are requested: always is not set, model invocation is not disabled, and there are no required config paths. The skill does not request permanent presence or extra privileges.