diff --git a/CHANGELOG.md b/CHANGELOG.md
index e5801687828..369d5044135 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -38,6 +38,7 @@ Docs: https://docs.openclaw.ai
### Fixes
- Agents/Compaction: count auto-compactions only after a non-retry `auto_compaction_end`, keeping session `compactionCount` aligned to completed compactions.
+- Security/Skills: escape user-controlled prompt, filename, and output-path values in `openai-image-gen` HTML gallery generation to prevent stored XSS in generated `index.html` output. (#12538) Thanks @CornBrother0x.
- Security/OTEL: redact sensitive values (API keys, tokens, credential fields) from diagnostics-otel log bodies, log attributes, and error/reason span fields before OTLP export. (#12542) Thanks @brandonwise.
- Security/CLI: redact sensitive values in `openclaw config get` output before printing config paths, preventing credential leakage to terminal output/history. (#13683) Thanks @SleuthCo.
- Install/Discord Voice: make `@discordjs/opus` an optional dependency so `openclaw` install/update no longer hard-fails when native Opus builds fail, while keeping `opusscript` as the runtime fallback decoder for Discord voice flows. (#23737, #23733, #23703) Thanks @jeadland, @Sheetaa, and @Breakyman.
diff --git a/skills/openai-image-gen/scripts/gen.py b/skills/openai-image-gen/scripts/gen.py
index 7bd59e36126..4043f1a8ed7 100644
--- a/skills/openai-image-gen/scripts/gen.py
+++ b/skills/openai-image-gen/scripts/gen.py
@@ -9,6 +9,7 @@ import re
import sys
import urllib.error
import urllib.request
+from html import escape as html_escape
from pathlib import Path
@@ -131,8 +132,8 @@ def write_gallery(out_dir: Path, items: list[dict]) -> None:
[
f"""
- 
- {it["prompt"]}
+ 
+ {html_escape(it["prompt"])}
""".strip()
for it in items
@@ -152,7 +153,7 @@ def write_gallery(out_dir: Path, items: list[dict]) -> None:
code {{ color: #9cd1ff; }}
openai-image-gen
-Output: {out_dir.as_posix()}
+Output: {html_escape(out_dir.as_posix())}
{thumbs}
diff --git a/skills/openai-image-gen/scripts/test_gen.py b/skills/openai-image-gen/scripts/test_gen.py
new file mode 100644
index 00000000000..3f0a38d978f
--- /dev/null
+++ b/skills/openai-image-gen/scripts/test_gen.py
@@ -0,0 +1,50 @@
+"""Tests for write_gallery HTML escaping (fixes #12538 - stored XSS)."""
+
+import tempfile
+from pathlib import Path
+
+from gen import write_gallery
+
+
+def test_write_gallery_escapes_prompt_xss():
+ with tempfile.TemporaryDirectory() as tmpdir:
+ out = Path(tmpdir)
+ items = [{"prompt": '', "file": "001-test.png"}]
+ write_gallery(out, items)
+ html = (out / "index.html").read_text()
+ assert "