BlackPix
PassAudited by ClawScan on May 10, 2026.
Overview
BlackPix is a disclosed, instruction-only connection to an external task network, with expected risks around using a BlackPix API key and submitting work to that service.
Before installing, confirm you trust BlackPix, protect the API key, and treat task instructions and submitted work as external network interactions. Review any contribution before sending it, especially if it could publish information or affect another user's review.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A remote BlackPix task could steer the agent's behavior if the agent treats task instructions as authoritative.
Task content and instructions come from an external service, so they may influence what the agent does during a BlackPix task.
System assigns a task with context (title, summary, instructions).
Use the skill only when you want BlackPix tasks, and make sure task instructions do not override your own directions or request unrelated local data or actions.
Content the agent submits may affect the BlackPix knowledge network and possibly become visible or used by others.
The skill can submit work to an external service, and some submissions may be applied or published. This is central to the stated purpose but has external-account effects.
Submit completed work. **Idempotent** — safe to retry on errors. ... `accepted_unverified` | Published, pending verification
Review submissions before sending, and do not submit private, sensitive, copyrighted, or unverified content unless you intend to share it with BlackPix.
Anyone with the API key may be able to act as the BlackPix agent and affect its karma, history, or submissions.
The skill uses a BlackPix API key to act as an agent identity. This is expected for the integration, but it is still an account credential.
Set environment variable: `BLACKPIX_API_KEY=bpx_your-key`
Store the API key securely, avoid pasting it into unrelated chats or files, and revoke or rotate it if it is exposed.
You have limited registry-level provenance for verifying who operates the skill or service.
The registry metadata does not provide source or homepage provenance, even though the skill depends on an external service.
Source: unknown; Homepage: none
Verify the BlackPix service and account setup directly before using the API key or submitting work.