tgw-image
Pass
Audited by Gen Agent Trust Hub on Jul 4, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
subprocess.runto call the macOSsecuritycommand-line utility for managing generic passwords. This implementation ensures that sensitiveOPENAI_API_KEYdata is stored in the user's system keychain rather than in local files or environment configuration files. - [COMMAND_EXECUTION]: The script
scripts/image2_generate.pyfacilitates the execution of the primary image generation logic by wrapping a local system script (image_gen.py). It securely injects the necessary credentials into the child process's environment without exposing them via command-line arguments. - [SAFE]: The skill includes comprehensive documentation and logic to prevent the accidental exposure of API keys. It explicitly forbids writing real keys to the repository and provides a dedicated configuration workflow that utilizes standard system security features.
- [SAFE]: Analysis of the Python scripts confirms that all
subprocesscalls use list-based arguments without shell execution (shell=Trueis absent), which significantly reduces the risk of command injection from user-supplied inputs.
Audit Metadata