Pixshop Creative API — Developer REST Endpoints

Security checks across malware telemetry and agentic risk

Overview

This is a Pixshop API reference skill with expected token-based API use and image upload workflows, but users should handle tokens and personal images carefully.

Use this only if you intend to call Pixshop APIs. Verify the Pixshop CLI before installing it, protect bearer tokens like passwords, avoid exposing tokens in logs or shell history, and do not upload private images, faces, ID-style photos, or sensitive prompts unless you have consent and are comfortable sending them to Pixshop.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs users to retrieve an access token from a local config file and to authenticate via a password grant flow, then use that token in subsequent requests, but it provides no warning about credential handling, token secrecy, or the privacy implications of uploading images and prompts to third-party infrastructure. In a skill whose purpose is to send user-provided media and prompts to external services, omission of these warnings materially increases the chance of credential leakage or unintended disclosure of sensitive image data.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal