Ai Video Generation Skills

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Pixwith media-generation connector, with expected API-key setup and user-selected image uploads.

Install this only if you intend to use Pixwith through OpenClaw. Treat the Pixwith API key as a secret, store it only in local MCP settings, review credit costs before expensive jobs, and avoid uploading sensitive images or prompts unless you are comfortable sending them to Pixwith.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill tells users to generate and paste an API key into configuration but does not warn that the key is a secret, should not be shared in chat, should be stored only in trusted local MCP settings, and should be rotated if exposed. In an agent setting, omission of credential-handling guidance increases the chance users leak the key into prompts, screenshots, logs, or copied configs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal