gpt-image-1-5
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [CREDENTIALS_UNSAFE] (HIGH): The skill instructions and script facilitate passing sensitive OpenAI API keys as command-line arguments via the --api-key flag. This practice is insecure as command-line arguments are often logged in shell history files and are visible to other users and processes on the same system via tools like ps.
- [COMMAND_EXECUTION] (HIGH): The script is vulnerable to path traversal because it uses the --filename parameter directly with Path() to create directories and save files without any sanitization or validation. An attacker could provide a malicious filename like ../../.bashrc or similar paths to overwrite critical system or configuration files that the user has permissions to modify.
- [DATA_EXFILTRATION] (LOW): The script transmits user prompts and potentially local image data to OpenAI's API endpoints. While this is the intended functionality of an image generation tool, it constitutes data transit to a third-party service which may include sensitive context from the user's workspace.
Recommendations
- AI detected serious security threats
Audit Metadata