← Back to Skills Marketplace

pixelhub-api-tools

Name: pixelhub-api-tools
Author: leik1000

by leik1000 · GitHub ↗ · v1.0.7 · MIT-0

cross-platform ⚠ suspicious

278

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install pixelhub-api-tools

Description

Use for Pixelhub API direct calls when users need image generation/editing, video generation/post-processing, or audio/music generation.

Usage Guidance

This skill's code matches its description (it calls Pixelhub/Pixelle API endpoints), but the SKILL.md asks you to paste your API key into chat and to have the agent write that key into the runner source file. Before installing or using: 1) Do not paste secrets into chat unless you understand and accept that the key may be stored in chat logs and the skill directory. 2) Prefer setting an environment variable (Pixelhub_API_KEY) rather than embedding the key in code; the runner supports env vars even though SKILL.md doesn't recommend them. 3) Verify the publisher and service (pixellelabs.com) and consider creating a scoped/test key that you can rotate. 4) Inspect and backup the runner file before and after modification, and remove or rotate the stored key when no longer needed. 5) If you require stricter secrecy, ask the publisher to provide a flow that uses secure secret storage (env vars or a dedicated secrets API) instead of modifying files.

Capability Analysis

Type: OpenClaw Skill Name: pixelhub-api-tools Version: 1.0.7 The skill implements a risky setup pattern in SKILL.md that instructs the AI agent to modify its own source code (pixelhub_api_runner.py) and documentation to store a user-provided API key. This self-modification mechanism is a vulnerability because it lacks input sanitization; a crafted 'API key' could be used to inject and execute arbitrary Python code when the script is subsequently run. While the behavior is aligned with the stated purpose of accessing the Pixelle Labs API (pixellelabs.com), the implementation pattern is inherently insecure.

Capability Assessment

ℹ Purpose & Capability

Name/description match the included runner and API endpoint usage (calls to https://www.pixellelabs.com/api/...). The code implements tool listing, task submission, and polling consistent with image/audio/video workflow operations. Minor inconsistency: SKILL.md calls the service "Pixelhub" while the registration domain and DEFAULT_BASE_URL reference pixellelabs.com, but functionality is coherent with the stated purpose.

⚠ Instruction Scope

SKILL.md explicitly instructs the agent to have the user paste their API key in chat and then to replace DEFAULT_API_KEY and change a status line inside pixelhub_api_runner.py. That directs the agent to collect a secret via chat and write it into a local code file, granting persistent access to the key. The instructions also forbid fallbacks (curl/manual HTTP) and say not to invent a key; those constraints are odd but not necessarily malicious. The instruction set grants the agent discretion to modify files in the skill directory and to handle user secrets — scope creep relative to a simple wrapper script.

✓ Install Mechanism

No install spec is provided (instruction-only with a bundled Python runner). This is low-risk from an install perspective; the code is included in the package and no external archives or third-party downloads are executed during install.

⚠ Credentials

The package does not declare required env vars but the runner supports Pixelhub_API_KEY and Pixelhub_BASE_URL via environment variables. SKILL.md, however, instructs users to paste the API key into chat and write it into the file instead of using env vars. Asking for a single API key is proportionate to the task, but the guidance to transmit the key over chat and persist it in a code file is disproportionate and insecure. There is no request for unrelated credentials or elevated system config.

⚠ Persistence & Privilege

The instructions require modifying the skill's own file to embed the API key and flip a status flag; this gives the skill persistent access to the secret on disk. The skill is not marked 'always: true' and does not request system-wide privileges, but persisting credentials in a code file is risky (exposure in repos, backups, or logs).

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install pixelhub-api-tools
After installation, invoke the skill by name or use /pixelhub-api-tools
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.7

- Added metadata file (_meta.json) to the package. - Updated skill description to refer to "Pixelle API" instead of "Pixelhub API".

v1.0.6

- Updated skill name and description to use "Pixelhub" instead of "Pixelle". - No code or logic changes; documentation update only. - All user setup and usage instructions remain the same.

v1.0.5

- Updated documentation and setup flow to require users to manually provide and enter their Pixelle API key into the runner script. - Environment variable usage replaced with a direct key replacement method in pixelhub_api_runner.py. - Credentials are now handled by pasting the API key into chat, which is then added to the runner script. - Removed prior emphasis on local shell environment variables and persistent key storage instructions. - Minor clarifications in execution rules and setup instructions.

v1.0.4

- Added primary_credential field: now explicitly marks PIXELHUB_API_KEY as the primary credential for the skill. - Credential rule update: clarified that PIXELHUB_BASE_URL must point to an official pixellelabs.com host. - No code or command changes—documentation and rules only.

v1.0.3

Version 1.0.3 - Added `homepage`, `source_url`, and `required_env_vars` fields for improved metadata and environment specification. - Clarified and strengthened credential handling rules, including stricter guidance on handling `PIXELHUB_API_KEY` and optional support for `PIXELHUB_BASE_URL`. - Updated credential setup instructions to emphasize session-specific scope and persistence recommendations. - Minor edits to setup and credential instructions for clarity and user safety. - No code or functional changes; documentation improvements only.

v1.0.2

- Credential handling is now based on the PIXELHUB_API_KEY environment variable instead of directly editing Python files. - First-time API key setup instructions revised: users are told to set the API key as an environment variable with platform-specific examples. - Removed direct modification of source code for API key storage, improving security and usability. - Skill now instructs users how to set the environment variable if authentication is missing. - General documentation clarified and simplified for initial configuration.

v1.0.1

- Updated description to refer to "Pixelhub API" instead of "Pixelle API" for clarity and branding consistency. - No functional or structural changes; content and usage instructions remain the same.

v1.0.0

first commit

Metadata

Slug pixelhub-api-tools

Version 1.0.7

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 8

Frequently Asked Questions

What is pixelhub-api-tools?

Use for Pixelhub API direct calls when users need image generation/editing, video generation/post-processing, or audio/music generation. It is an AI Agent Skill for Claude Code / OpenClaw, with 278 downloads so far.

How do I install pixelhub-api-tools?

Run "/install pixelhub-api-tools" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is pixelhub-api-tools free?

Yes, pixelhub-api-tools is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does pixelhub-api-tools support?

pixelhub-api-tools is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created pixelhub-api-tools?

It is built and maintained by leik1000 (@leik1000); the current version is v1.0.7.

More Skills