openai-image-gen
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The
scripts/gen.pyscript downloads generated images from URLs returned by the OpenAI API usingurllib.request.urlretrieve. - [INDIRECT_PROMPT_INJECTION]: The script is vulnerable to HTML and script injection in the generated gallery file.
- Ingestion points: The
--promptcommand-line argument inscripts/gen.pyreceives untrusted input from the user. - Boundary markers: Absent. No delimiters or instructions are used to separate the prompt content from the HTML structure.
- Capability inventory: The script writes files to the local filesystem (
index.html,prompts.json) and performs network operations (OpenAI API requests). - Sanitization: Absent. The
write_galleryfunction directly interpolates thepromptvariable into the HTML template without escaping or sanitization.
Audit Metadata