ClawHub

Pixcli Skill

v2.3.8

Creative toolkit for AI agents — generate images, videos, voiceover, music, and sound effects, then assemble polished output via Remotion. Uses the pixcli CL...

0· 179·0 current·0 all-time
by@cohnen·duplicate of @cohnen/pixcli-skill
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (image/video/audio generation + Remotion assembly) aligns with the declared requirements: a single PIXCLI_API_KEY credential and node/npx on PATH. The included Remotion templates and docs match the stated purpose and template-based rendering workflow.
Instruction Scope
SKILL.md restricts allowed commands to npx pixcli, npx remotion, npm install (inside templates), ffmpeg/ffprobe, and local file I/O, which stays within the stated production workflow. Two things to note: (1) the SKILL.md repeatedly asserts pixcli "does not execute arbitrary code," but npx runs a package from npm (the pixcli CLI) which is executable code downloaded at runtime — so you must trust the pixcli npm package and its publisher; (2) templates use npm install to pull Remotion and related packages from npm, which will fetch and install many third-party packages (expected for Remotion but still a network install step).
Install Mechanism
There is no explicit install spec in the registry; runtime installs happen via npx --yes pixcli (pulls the pixcli package from npm) and npm install inside copied template directories (pulls Remotion and React deps). Both are standard but involve downloading and executing code from public registries (npm). No arbitrary URL downloads or custom extract-from-URL steps are present.
Credentials
Only PIXCLI_API_KEY is required (declared as primaryEnv). The README mentions an OPENROUTER_API_KEY fallback, but that is optional and not declared as required. No unrelated cloud credentials or broad secrets are requested.
Persistence & Privilege
always:false and no indications the skill changes other skills or global agent configuration. The skill runs as-invoked, can perform long-running jobs (video renders) and local file writes, which is expected for this use case. Autonomous invocation is allowed by default but is not combined with unusual privileges here.
Assessment
This skill appears internally consistent with its stated purpose, but you should: (1) recognize that npx --yes pixcli will download and execute the pixcli npm package at runtime — inspect the pixcli npm package and its GitHub source (links are provided in the SKILL.md) before trusting it; (2) be aware npm install inside templates will fetch Remotion and many dependencies from npm (audit those packages or run in an isolated/ephemeral environment if you have security concerns); (3) only provide a PIXCLI_API_KEY you are willing to use with a third-party generation service (monitor usage/billing and consider scoped/limited keys if the service supports them); (4) if you require stricter guarantees, run the workflow in an isolated container/VM or review the published pixcli package code/release provenance before allowing autonomous agent invocation.

Like a lobster shell, security has layers — review code before you run it.

latestvk971rwk9pzxfdmc1dara14p0yh84txfs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎨 Clawdis
Any binnode, npx
EnvPIXCLI_API_KEY
Primary envPIXCLI_API_KEY

Comments