tgw-image

Pass

Audited by Gen Agent Trust Hub on Jul 4, 2026

Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses subprocess.run to call the macOS security command-line utility for managing generic passwords. This implementation ensures that sensitive OPENAI_API_KEY data is stored in the user's system keychain rather than in local files or environment configuration files.
  • [COMMAND_EXECUTION]: The script scripts/image2_generate.py facilitates the execution of the primary image generation logic by wrapping a local system script (image_gen.py). It securely injects the necessary credentials into the child process's environment without exposing them via command-line arguments.
  • [SAFE]: The skill includes comprehensive documentation and logic to prevent the accidental exposure of API keys. It explicitly forbids writing real keys to the repository and provides a dedicated configuration workflow that utilizes standard system security features.
  • [SAFE]: Analysis of the Python scripts confirms that all subprocess calls use list-based arguments without shell execution (shell=True is absent), which significantly reduces the risk of command injection from user-supplied inputs.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 4, 2026, 01:08 AM
Security Audit — agent-trust-hub — tgw-image