← Back to Skills Marketplace
376
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install pixshop-creative-api
Description
Pixshop 开发者 REST API — 图片生成/编辑、视频制作、提示词库、应用市场、社区 / Pixshop Developer REST API — image generation/editing, video, prompts, apps, community endpoints. Use when...
Usage Guidance
This skill is largely a documentation page for Pixshop's REST endpoints, but it demonstrates ways to obtain tokens (installing a CLI and reading ~/.pixshop-config.json) without declaring required credentials. Before installing or enabling it:
- Verify the skill's source or official Pixshop docs (no homepage/source provided here).
- Prefer providing an explicit PIXSHOP_TOKEN environment variable rather than letting the agent run shell commands or read ~/.pixshop-config.json.
- If you do not want the agent to access local files or run commands, remove or restrict allowed-tools (Bash/Read) or disable autonomous invocation for this skill.
- If you consider installing the 'pixshop' npm CLI, review that package and its maintainers first (npm install -g runs code).
- Be cautious with the Supabase examples: they reference apikeys and auth endpoints — never expose service anon/secret keys unless you intend to.
If you want a low-risk integration, ask the skill author to declare required env vars (token) and remove instructions that encourage reading local config files or installing third-party CLIs.
Capability Analysis
Type: OpenClaw Skill
Name: pixshop-creative-api
Version: 1.0.0
The skill bundle provides documentation for the Pixshop Creative API but requires high-risk capabilities that expand the agent's attack surface. Specifically, SKILL.md instructs the agent to use 'Bash' to install a global NPM package (npm install -g pixshop) and 'Read' to access a local configuration file (~/.pixshop-config.json) to retrieve an access token. While these actions are plausibly needed for the stated purpose of a developer tool, the reliance on shell execution and direct filesystem access to sensitive configuration data is classified as suspicious according to the provided security criteria.
Capability Assessment
Purpose & Capability
The name/description match the SKILL.md content (REST endpoints for Pixshop). However, the instructions demonstrate auth acquisition (CLI login and reading ~/.pixshop-config.json, Supabase auth examples) even though the skill declares no required environment variables or primary credential. A REST-integration skill would normally declare a token env var (e.g., PIXSHOP_TOKEN).
Instruction Scope
SKILL.md contains explicit examples that read local configuration (cat ~/.pixshop-config.json) and install/run a 'pixshop' CLI. The skill header allows Bash and Read tools, which combined with those examples means the agent could be instructed to access local files/execute shell commands to obtain tokens. That expands scope beyond merely describing HTTP endpoints and could lead to unintended credential exposure.
Install Mechanism
This is instruction-only (no install spec, no code files). That is low-risk from an installation-perspective because nothing is downloaded or written by the skill itself.
Credentials
The API clearly requires an Authorization Bearer token, and examples reference an accessToken and Supabase apikey, but the skill declares no required env vars or primary credential. The absence of declared credentials is disproportionate to the documented auth needs and makes it unclear how the agent should obtain/store tokens safely.
Persistence & Privilege
always is false (normal). The skill allows Bash and Read in its header, enabling runtime shell and file reads; this is not inherently malicious but increases the blast radius if the agent is allowed to execute autonomously. No evidence the skill requests permanent presence or modifies other skills.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install pixshop-creative-api - After installation, invoke the skill by name or use
/pixshop-creative-api - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release
Metadata
Frequently Asked Questions
What is Pixshop Creative API — Developer REST Endpoints?
Pixshop 开发者 REST API — 图片生成/编辑、视频制作、提示词库、应用市场、社区 / Pixshop Developer REST API — image generation/editing, video, prompts, apps, community endpoints. Use when... It is an AI Agent Skill for Claude Code / OpenClaw, with 376 downloads so far.
How do I install Pixshop Creative API — Developer REST Endpoints?
Run "/install pixshop-creative-api" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Pixshop Creative API — Developer REST Endpoints free?
Yes, Pixshop Creative API — Developer REST Endpoints is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Pixshop Creative API — Developer REST Endpoints support?
Pixshop Creative API — Developer REST Endpoints is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Pixshop Creative API — Developer REST Endpoints?
It is built and maintained by KLeo (@lizhijun); the current version is v1.0.0.
More Skills