ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pixcli Skill

v2.2.0

Creative toolkit for AI agents — generate images, videos, voiceover, music, and sound effects, then assemble polished output via Remotion. Uses the pixcli CL...

0· 32·0 current·0 all-time
by@cohnen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (image/video/audio generation + Remotion templates) aligns with required binaries (node, npx), the single declared env var (PIXCLI_API_KEY), and the included Remotion templates and docs.
Instruction Scope
SKILL.md and README instruct running the external pixcli npm CLI and Remotion (npm install / npx remotion), copying local templates into a project, and writing generated assets to public/ (expected). The README mentions an OPENROUTER_API_KEY fallback not declared in the skill metadata — this is a minor inconsistency because it implies the tool may read an additional environment variable that wasn't listed.
Install Mechanism
There is no internal install spec; the instructions expect you to install or run the pixcli package from the public npm registry (npm install -g pixcli or npx pixcli). Installing an external npm package is a normal dependency but carries the usual supply-chain risk (arbitrary code from npm). The skill bundle itself contains Remotion templates only (no bundled pixcli binary).
Credentials
The only required credential declared is PIXCLI_API_KEY which is appropriate for a cloud API CLI. The README's mention of OPENROUTER_API_KEY as a fallback is not declared in requires.env — this should be treated as an undeclared optional env var that the CLI may inspect if present.
Persistence & Privilege
Skill is not always-enabled, does not request persistent system-wide privileges, and does not modify other skills' configuration. Runtime actions (file writes, npm installs, npx remotion) are local to the project and expected for this purpose.
Assessment
This skill appears to be what it claims: a Node CLI that calls a pixcli service and provides Remotion templates. Before installing or running it: - Treat the PIXCLI_API_KEY like any API secret: create a limited key if possible and avoid reusing high-privilege credentials. - Installing via npm (npm install -g pixcli) will pull code from the public registry — review the npm package and its maintainers (and choose npx for one-off use if you prefer not to install globally). - The README mentions an OPENROUTER_API_KEY fallback (not listed in the skill metadata). If you have that env var set, the CLI may use it — consider removing unrelated secrets from your environment when running third-party CLIs. - The Remotion templates included in the bundle will require npm install in a copied folder and then running npx remotion (which executes JS code locally). The templates in this bundle look benign, but review any third-party template code before rendering in a sensitive environment. - If you need higher assurance, inspect the upstream npm package source (pixcli on npm / its GitHub) and the runtime behavior of the CLI (particularly network endpoints and what metadata it sends) before providing any private or sensitive data.

Like a lobster shell, security has layers — review code before you run it.

latestvk9792zmps7nx7z7f1rq9jk3j6983ymsj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎨 Clawdis
Any binnode, npx
EnvPIXCLI_API_KEY
Primary envPIXCLI_API_KEY

Comments