Back to skill
Skillv1.0.1
ClawScan security
Ai Image Generation Skills · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 15, 2026, 5:36 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only integration that consistently documents using Pixwith via MCP and does not request unexplained credentials, installs, or filesystem access.
- Guidance
- This skill is an instruction-only connector for Pixwith and appears internally consistent. Before installing: (1) confirm the MCP endpoint URL (https://api.pixwith.ai/mcp) is the official Pixwith endpoint you expect; (2) create a Pixwith API key with minimal privileges and add it to your OpenClaw MCP config (do not paste your key into chat); (3) be mindful when uploading private images — the skill may instruct you to upload them to a Pixwith-hosted URL (presigned S3), so review Pixwith's privacy/retention policy and monitor credit usage. If you want stronger containment, verify MCP server TLS certificate and consider rotating the API key after initial tests.
Review Dimensions
- Purpose & Capability
- okThe name/description (Pixwith image/video generation) matches the instructions: discovery, schema inspection, uploading reference images, creating async generate tasks, and polling results. Nothing requested (no env vars, no binaries, no special paths) is out of scope for a cloud media-generation integration.
- Instruction Scope
- okSKILL.md limits agent actions to MCP tool calls (list_models, get_model_schema, upload_image, generate, get_task_result, get_credits), guiding user setup and upload flows. It does not instruct reading local secrets, unrelated files, or exfiltrating data to unexpected endpoints. Upload semantics and polling behavior are explicitly described.
- Install Mechanism
- okThere is no install spec and no code files — the skill is instruction-only, which minimizes risk. All external endpoints referenced point to pixwith.ai and MCP presigned upload URLs (S3 semantics) described in the docs.
- Credentials
- okThe skill does not declare or require environment variables. It instructs the user to add a Pixwith API key to OpenClaw's MCP configuration (appropriate for a third‑party API). No unrelated credentials, secret paths, or broad environment access are requested.
- Persistence & Privilege
- okalways is false and the skill does not request any elevated or persistent platform privileges nor modify other skills. The skill allows normal autonomous invocation (disable-model-invocation: false) which is the platform default and acceptable here given the limited scope.