diff --git a/.github/workflows/shared/genaiscript.md b/.github/workflows/shared/genaiscript.md
index 4feef38425..014b7a58c8 100644
--- a/.github/workflows/shared/genaiscript.md
+++ b/.github/workflows/shared/genaiscript.md
@@ -5,6 +5,19 @@ engine:
     GH_AW_AGENT_VERSION: "2.5.1"
     GH_AW_AGENT_MODEL_VERSION: "openai:gpt-4.1"
   steps:
+    - name: Validate OPENAI_API_KEY secret
+      run: |
+        if [ -z "$OPENAI_API_KEY" ]; then
+          echo "Error: OPENAI_API_KEY secret is not set"
+          echo "The GenAIScript engine with openai:gpt-4.1 model requires OPENAI_API_KEY secret to be configured."
+          echo "Please configure this secret in your repository settings."
+          echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/"
+          exit 1
+        fi
+        echo "OPENAI_API_KEY secret is configured"
+      env:
+        OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+    
     - name: Install GenAIScript
       run: npm install -g genaiscript@${GH_AW_AGENT_VERSION} && genaiscript --version
       env:
@@ -33,6 +46,7 @@ engine:
         GH_AW_PROMPT: ${{ env.GH_AW_PROMPT }}
         GH_AW_MCP_CONFIG: ${{ env.GH_AW_MCP_CONFIG }}
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
 ---
 
 <!--
@@ -53,10 +67,12 @@ imports:
 - The original prompt file is converted to GenAI markdown format (prompt.genai.md)
 - GenAIScript is executed with MCP server configuration if available
 - Output is captured in the agent log file
+- **OPENAI_API_KEY secret must be configured** in repository settings when using OpenAI models
 
 **Note**: 
 - This workflow requires internet access to install npm packages
 - The genaiscript version can be customized by setting the `GH_AW_AGENT_VERSION` environment variable (default: `2.5.1`)
 - The AI model can be customized by setting the `GH_AW_AGENT_MODEL_VERSION` environment variable (default: `openai:gpt-4.1`)
 - MCP server configuration is automatically passed if configured in the workflow
+- When using `openai:` models, ensure the `OPENAI_API_KEY` secret is configured in your repository settings
 -->
diff --git a/.github/workflows/smoke-genaiscript.lock.yml b/.github/workflows/smoke-genaiscript.lock.yml
index 9ae1a33476..46a1f28599 100644
--- a/.github/workflows/smoke-genaiscript.lock.yml
+++ b/.github/workflows/smoke-genaiscript.lock.yml
@@ -1106,6 +1106,25 @@ jobs:
           name: aw_info.json
           path: /tmp/gh-aw/aw_info.json
           if-no-files-found: warn
+      - name: Validate OPENAI_API_KEY secret
+        run: |
+          if [ -z "$OPENAI_API_KEY" ]; then
+            echo "Error: OPENAI_API_KEY secret is not set"
+            echo "The GenAIScript engine with openai:gpt-4.1 model requires OPENAI_API_KEY secret to be configured."
+            echo "Please configure this secret in your repository settings."
+            echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/"
+            exit 1
+          fi
+          echo "OPENAI_API_KEY secret is configured"
+        env:
+          GH_AW_AGENT_MODEL_VERSION: openai:gpt-4.1
+          GH_AW_AGENT_VERSION: 2.5.1
+          GH_AW_MCP_CONFIG: /tmp/gh-aw/mcp-config/mcp-servers.json
+          GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
+          GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
+          GH_AW_SAFE_OUTPUTS_CONFIG: "\"{\\\"create_issue\\\":{\\\"max\\\":1,\\\"min\\\":1},\\\"missing_tool\\\":{}}\""
+          GH_AW_SAFE_OUTPUTS_STAGED: "true"
+          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
       - name: Install GenAIScript
         run: npm install -g genaiscript@${GH_AW_AGENT_VERSION} && genaiscript --version
         env:
@@ -1148,6 +1167,7 @@ jobs:
           GH_AW_SAFE_OUTPUTS_CONFIG: "\"{\\\"create_issue\\\":{\\\"max\\\":1,\\\"min\\\":1},\\\"missing_tool\\\":{}}\""
           GH_AW_SAFE_OUTPUTS_STAGED: "true"
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
       - name: Ensure log file exists
         run: |
           echo "Custom steps execution completed" >> /tmp/gh-aw/agent-stdio.log
@@ -2382,6 +2402,25 @@ jobs:
         run: |
           mkdir -p /tmp/gh-aw/threat-detection
           touch /tmp/gh-aw/threat-detection/detection.log
+      - name: Validate OPENAI_API_KEY secret
+        run: |
+          if [ -z "$OPENAI_API_KEY" ]; then
+            echo "Error: OPENAI_API_KEY secret is not set"
+            echo "The GenAIScript engine with openai:gpt-4.1 model requires OPENAI_API_KEY secret to be configured."
+            echo "Please configure this secret in your repository settings."
+            echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/"
+            exit 1
+          fi
+          echo "OPENAI_API_KEY secret is configured"
+        env:
+          GH_AW_AGENT_MODEL_VERSION: openai:gpt-4.1
+          GH_AW_AGENT_VERSION: 2.5.1
+          GH_AW_MCP_CONFIG: /tmp/gh-aw/mcp-config/mcp-servers.json
+          GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
+          GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
+          GH_AW_SAFE_OUTPUTS_CONFIG: "\"{\\\"create_issue\\\":{\\\"max\\\":1,\\\"min\\\":1},\\\"missing_tool\\\":{}}\""
+          GH_AW_SAFE_OUTPUTS_STAGED: "true"
+          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
       - name: Install GenAIScript
         run: npm install -g genaiscript@${GH_AW_AGENT_VERSION} && genaiscript --version
         env:
@@ -2424,6 +2463,7 @@ jobs:
           GH_AW_SAFE_OUTPUTS_CONFIG: "\"{\\\"create_issue\\\":{\\\"max\\\":1,\\\"min\\\":1},\\\"missing_tool\\\":{}}\""
           GH_AW_SAFE_OUTPUTS_STAGED: "true"
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
       - name: Ensure log file exists
         run: |
           echo "Custom steps execution completed" >> /tmp/gh-aw/threat-detection/detection.log