Is openai-image-gen safe?

https://clawhub.ai/steipete/openai-image-gen

82
SAFE

openai-image-gen is a straightforward image generation utility that calls the OpenAI Images API and produces a local HTML gallery. The code is clean, readable, and does what it claims. The primary concerns are: (1) the API key follows a redirectable base URL, which is a standard OpenAI pattern but creates a trust boundary, and (2) a minor stored XSS in the generated HTML gallery due to unescaped prompt text. No malicious intent detected.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 68/100 · 25%
Code Execution 62/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (6)

MEDIUM API key follows redirectable base URL -20

gen.py sends the OPENAI_API_KEY as a Bearer token to whatever URL is constructed from OPENAI_BASE_URL or OPENAI_API_BASE environment variables. If an attacker can control these env vars (e.g., via another skill or .env manipulation), the API key is sent to an arbitrary server. This follows standard OpenAI client patterns but is worth noting as a trust boundary.

MEDIUM Executable Python script with network access -25

The skill includes gen.py which makes outbound HTTP POST requests to the OpenAI API and writes binary files to disk. While this is the skill's intended purpose, it is executable code that an agent could be instructed to run, and it does perform network I/O and disk writes.

LOW Stored XSS in generated index.html -13

The _write_index function injects prompt text directly into HTML 

 tags without escaping. A crafted --prompt containing HTML/JS (e.g., '
') would result in executable JavaScript in the generated index.html file. Impact is limited since files are local.

LOW API key readable from environment -12

The script reads OPENAI_API_KEY from environment variables or --api-key CLI argument. This is expected behavior for OpenAI integrations but means the skill has access to this secret at runtime.

INFO Hardcoded file paths in SKILL.md -5

SKILL.md references ~/Projects/agent-scripts/skills/openai-image-gen/scripts/gen.py as the execution path. This is an author-specific convention, not a security risk, but an agent following these instructions would attempt to execute from this path.

INFO Skill is benign but has composability risks -10

In isolation, this skill is low-risk. However, if combined with a skill that modifies environment variables (setting OPENAI_BASE_URL to a malicious endpoint), this skill would unknowingly exfiltrate the API key. This is a general composability concern, not specific to this skill.