ClawHub

Pixshop CLI — AI Image & Video Generation

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Pixshop CLI guide, but installing it means using a third-party npm tool that can upload media, use account credentials, and spend Pixshop credits.

Install only if you intend to use Pixshop from the terminal. Verify the npm package source before global installation, log in only to the intended Pixshop account, avoid uploading sensitive or unauthorized personal images, and review batch or credit-consuming commands before running them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill description is broad enough to trigger on many common image/video-related user requests, which can cause the agent to invoke this skill in situations where a narrower or safer tool would be more appropriate. Because the skill enables Bash-based installation, login, and command execution against a third-party service, overbroad routing increases the chance of unnecessary external actions, data exposure, or unintended account usage.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The documentation states that configuration is stored in ~/.pixshop-config.json but does not warn that authentication material may be stored locally there. In a security-sensitive agent environment, failing to disclose local credential storage can lead users or downstream automation to mishandle that file, back it up insecurely, expose it in logs, or grant overly broad filesystem access.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal