Safety Report

Openai Image Gen

Name: Openai Image Gen
Rating: 3 (20 reviews)
Author: steipete

@steipete

Batch-generate images via OpenAI Images API. Random prompt sampler + `index.html` gallery.

13,620Downloads

650Installs

20Stars

2Versions

API Integration4,971 Search & Retrieval2,116 Image Processing1,559

Security Analysis

high confidence

Suspicious0.04 risk

The code does what the name/description claim (batch-generate images via the OpenAI Images API), but the skill metadata omits the required API key and the script allows overriding the API base URL (which could send your key to an arbitrary host) — these inconsistencies warrant caution.

Feb 11, 20262 files2 concerns

Purpose & Capabilityok

The included script implements batch image generation, prompt sampling, saving PNGs, prompts.json, and an index.html gallery — this matches the skill name and description.

Instruction Scopenote

SKILL.md tells the user to run the included Python script and open the gallery; it expects outputs in ~/Projects/tmp when present or ./tmp otherwise. The runtime instructions do not ask the agent to read unrelated system files or exfiltrate data, but they reference a specific repo-like path (~/Projects/agent-scripts/skills/openai-image-gen/scripts/gen.py) which may be incorrect for some installs and could confuse users.

Install Mechanismok

No install spec or external downloads — the skill is instruction + a local script only, so nothing is fetched or installed automatically.

Credentialsconcern

SKILL.md and the script require an OpenAI API key (OPENAI_API_KEY) and accept OPENAI_BASE_URL / OPENAI_API_BASE overrides, but the registry metadata lists no required env vars or primary credential — this is an incoherence. Additionally, allowing OPENAI_BASE_URL/OPENAI_API_BASE to point anywhere means the script will send your Authorization header (the API key) to whatever host is configured, which could be abused if misconfigured or maliciously set.

Persistence & Privilegeok

The skill does not request persistent/always-on inclusion, does not modify other skills, and only writes output files into the chosen out directory; no elevated platform privileges are requested.

Guidance

This skill's code looks consistent with its stated function, but the registry metadata failed to declare the required OPENAI_API_KEY (and optional OPENAI_BASE_URL / OPENAI_API_BASE). Before installing or running: (1) verify you want to provide your OpenAI API key and prefer using the --api-key flag or a dedicated environment variable; (2) do NOT set OPENAI_BASE_URL or OPENAI_API_BASE to unknown hosts (that would cause your API key to be sent to that host); (3) run with --dry-run first to inspect prompts, and review the script locally to satisfy yourself there are no surprises; and (4) be cautious about the SKILL.md file paths (they assume a particular local layout) and adjust commands to the actual install location.

Latest Release

v1.0.1

More by @steipete

Gog

672 stars

Github

267 stars

Weather

229 stars

Frontend Design

186 stars

Openai Whisper

173 stars

Nano Banana Pro

164 stars

Published by @steipete on ClawHub