(Google) Veo 3 Video Gen
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent Pixwith video-generation skill, but users should note it uses a Pixwith API key, spends credits, and may upload user-provided images to external services.
Before installing, verify that you trust Pixwith and this skill publisher, provide PIXWITH_API_KEY only through a secure secret mechanism, confirm the credit cost before creating videos, and only upload reference images you are comfortable sending to the provider.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can use the configured Pixwith API key to check credits and create video-generation tasks that may consume account credits.
The skill authenticates to Pixwith using the user's API key. This is expected for the service, but it gives the agent delegated access to the user's Pixwith account for API operations.
This skill requires a `PIXWITH_API_KEY` environment variable.
Provide the key only through the runtime's secret manager or environment-variable mechanism, verify the Pixwith account and domain, and rotate or revoke the key if it is exposed.
A generated video may consume 50 or 200 Pixwith credits depending on the selected tier.
Creating a video task is an external API action that consumes Pixwith credits. The skill discloses pricing and tells the agent to inform the user first, which is a useful control, but users should still confirm before spending credits.
Always inform the user of the cost before creating a task.
Confirm the model tier, prompt, aspect ratio, and credit cost before allowing task creation, especially for Pro generation.
Reference images supplied from local files may be sent to Pixwith or cloud storage for processing.
For image-to-video workflows, the skill may upload user-provided local images to Pixwith or a presigned storage endpoint. This is purpose-aligned but is a third-party data transfer.
If the user provides a local file path (not a public URL), upload it first.
Only provide images that are appropriate to upload to Pixwith, and avoid using sensitive or private images unless you accept the provider's handling of that data.
The installation listing may understate that the skill needs a Pixwith API key.
The registry metadata does not declare the PIXWITH_API_KEY requirement that appears in SKILL.md. This looks like an under-declared metadata contract rather than hidden behavior, because SKILL.md itself clearly describes the key requirement.
Required env vars: none; Env var declarations: none; Primary credential: none
Treat the skill as requiring a Pixwith API credential and verify the publisher/homepage before configuring the key.