Skillv1.5.0

ClawScan security

PixVerse AI Image and Video Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 3, 2026, 9:31 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements, instructions, and included scripts are consistent with a CLI for generating images/videos — nothing requests unrelated credentials or installs unexpected components — but note a couple of privacy/operational details (optional env var and local-file uploads).
Guidance: This skill appears to do what it says: a CLI that interacts with PixVerse cloud services. Before installing or running it, consider: (1) Authentication uses OAuth device flow and tokens are stored in ~/.pixverse/ (or you can supply PIXVERSE_TOKEN) — treat that token like any other credential. (2) Local files passed to commands (e.g., --image ./file.jpg or --video ./my-video.mp4) are uploaded to PixVerse cloud for processing — do not upload sensitive or private files. (3) The included scripts (update.sh, check-update.sh) perform git pulls and curl to GitHub; run them only if you trust the repository and understand they may modify local files. (4) Minor metadata inconsistency: SKILL.md references PIXVERSE_TOKEN but the registry metadata lists no env vars — this is optional but worth noting. If you need higher assurance, inspect the upstream pixverse npm package code before installing or use npx to run without global install.

Review Dimensions

Purpose & Capability: okName/description (PixVerse CLI for image/video generation) match the instructions and workflows: OAuth device flow, create/download assets, models, pipelines, and asset management. No unrelated credentials or binaries are requested and the provided scripts align with repo maintenance (git/curl).
Instruction Scope: noteSKILL.md stays on-topic (create/edit/modify assets, check tasks, manage workspaces). It explicitly instructs uploading local files to PixVerse cloud storage (expected for I2V/I2I workflows) and references storing tokens under ~/.pixverse/ and an optional PIXVERSE_TOKEN env var. These behaviors are coherent with the CLI purpose but are privacy-relevant (local files and auth tokens are transmitted/stored).
Install Mechanism: okNo install spec in the registry (instruction-only). The SKILL.md recommends npm install -g pixverse or npx usage, which is proportionate to a Node CLI. The two included shell scripts only use git and curl against GitHub raw content and are straightforward; no arbitrary binary downloads or obscure hosts are used.
Credentials: noteRegistry metadata lists no required env vars, and the skill does not demand unrelated secrets. SKILL.md references PIXVERSE_TOKEN as an optional override and describes tokens saved under ~/.pixverse/ — the env var is reasonable but it is not declared in the registry metadata, which is a minor inconsistency the user should be aware of.
Persistence & Privilege: okalways:false and user-invocable (default) — no forced permanent presence. The skill stores its auth token in ~/.pixverse/ (normal for a CLI) but does not request system-wide or other-skills' configuration changes.