PixVerse AI Image and Video Generator
ReviewAudited by ClawScan on May 1, 2026.
Overview
This skill is a coherent PixVerse CLI guide, but it uses a PixVerse account, stored login token, cloud uploads, and credit-consuming generation commands.
This skill appears purpose-aligned and not suspicious. Before installing, make sure you trust the PixVerse npm CLI, understand that generations consume PixVerse credits, protect the stored OAuth token, and avoid uploading sensitive local images or videos.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or anything with access to the stored token may be able to use the PixVerse account until the token expires or is revoked.
The skill requires PixVerse account authentication and stores a reusable token locally, which is expected for the PixVerse CLI but gives the CLI ongoing account access.
The token is stored automatically in `~/.pixverse/` ... Set `PIXVERSE_TOKEN` environment variable to override the stored token
Authenticate only on trusted machines, protect ~/.pixverse/ and PIXVERSE_TOKEN, and revoke or refresh tokens if the environment is shared or compromised.
Automated or repeated generation can use paid or limited PixVerse credits.
The main generation commands spend PixVerse account credits; this is clearly disclosed and central to the skill, but users should notice the account-impacting action.
Generating content **consumes credits** from the user's PixVerse account
Set clear limits before batch generation, check credits first, and avoid letting an agent run open-ended creation loops.
Private images or videos provided as inputs may leave the local machine and be processed by PixVerse.
The workflow discloses that local files supplied to the CLI are uploaded to PixVerse cloud storage for processing, which is expected for this service but is a sensitive data flow.
Local file → --image ./photo.jpg (auto-uploads to PixVerse cloud storage)
Do not pass sensitive, confidential, or private media files unless you are comfortable uploading them to PixVerse.
Installing or running the CLI executes code from the npm package source.
The skill relies on installing or executing an external npm CLI package that is not included in the reviewed artifacts; this is normal for a CLI skill but depends on package-source trust.
npm install -g pixverse ... Or run without installing: npx pixverse
Install only from the official PixVerse package/source, consider pinning a known version for reproducibility, and avoid running npx in high-trust environments without checking the package.