← 返回 Skills 市场

pixelhub-api-tools

Name: pixelhub-api-tools
Author: leik1000

作者 leik1000 · GitHub ↗ · v1.0.7 · MIT-0

cross-platform ⚠ suspicious

278

总下载

当前安装

版本数

在 OpenClaw 中安装

/install pixelhub-api-tools

功能描述

Use for Pixelhub API direct calls when users need image generation/editing, video generation/post-processing, or audio/music generation.

安全使用建议

This skill's code matches its description (it calls Pixelhub/Pixelle API endpoints), but the SKILL.md asks you to paste your API key into chat and to have the agent write that key into the runner source file. Before installing or using: 1) Do not paste secrets into chat unless you understand and accept that the key may be stored in chat logs and the skill directory. 2) Prefer setting an environment variable (Pixelhub_API_KEY) rather than embedding the key in code; the runner supports env vars even though SKILL.md doesn't recommend them. 3) Verify the publisher and service (pixellelabs.com) and consider creating a scoped/test key that you can rotate. 4) Inspect and backup the runner file before and after modification, and remove or rotate the stored key when no longer needed. 5) If you require stricter secrecy, ask the publisher to provide a flow that uses secure secret storage (env vars or a dedicated secrets API) instead of modifying files.

功能分析

Type: OpenClaw Skill Name: pixelhub-api-tools Version: 1.0.7 The skill implements a risky setup pattern in SKILL.md that instructs the AI agent to modify its own source code (pixelhub_api_runner.py) and documentation to store a user-provided API key. This self-modification mechanism is a vulnerability because it lacks input sanitization; a crafted 'API key' could be used to inject and execute arbitrary Python code when the script is subsequently run. While the behavior is aligned with the stated purpose of accessing the Pixelle Labs API (pixellelabs.com), the implementation pattern is inherently insecure.

能力评估

ℹ Purpose & Capability

Name/description match the included runner and API endpoint usage (calls to https://www.pixellelabs.com/api/...). The code implements tool listing, task submission, and polling consistent with image/audio/video workflow operations. Minor inconsistency: SKILL.md calls the service "Pixelhub" while the registration domain and DEFAULT_BASE_URL reference pixellelabs.com, but functionality is coherent with the stated purpose.

⚠ Instruction Scope

SKILL.md explicitly instructs the agent to have the user paste their API key in chat and then to replace DEFAULT_API_KEY and change a status line inside pixelhub_api_runner.py. That directs the agent to collect a secret via chat and write it into a local code file, granting persistent access to the key. The instructions also forbid fallbacks (curl/manual HTTP) and say not to invent a key; those constraints are odd but not necessarily malicious. The instruction set grants the agent discretion to modify files in the skill directory and to handle user secrets — scope creep relative to a simple wrapper script.

✓ Install Mechanism

No install spec is provided (instruction-only with a bundled Python runner). This is low-risk from an install perspective; the code is included in the package and no external archives or third-party downloads are executed during install.

⚠ Credentials

The package does not declare required env vars but the runner supports Pixelhub_API_KEY and Pixelhub_BASE_URL via environment variables. SKILL.md, however, instructs users to paste the API key into chat and write it into the file instead of using env vars. Asking for a single API key is proportionate to the task, but the guidance to transmit the key over chat and persist it in a code file is disproportionate and insecure. There is no request for unrelated credentials or elevated system config.

⚠ Persistence & Privilege

The instructions require modifying the skill's own file to embed the API key and flip a status flag; this gives the skill persistent access to the secret on disk. The skill is not marked 'always: true' and does not request system-wide privileges, but persisting credentials in a code file is risky (exposure in repos, backups, or logs).

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install pixelhub-api-tools
安装完成后，直接呼叫该 Skill 的名称或使用 /pixelhub-api-tools 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.7

- Added metadata file (_meta.json) to the package. - Updated skill description to refer to "Pixelle API" instead of "Pixelhub API".

v1.0.6

- Updated skill name and description to use "Pixelhub" instead of "Pixelle". - No code or logic changes; documentation update only. - All user setup and usage instructions remain the same.

v1.0.5

- Updated documentation and setup flow to require users to manually provide and enter their Pixelle API key into the runner script. - Environment variable usage replaced with a direct key replacement method in pixelhub_api_runner.py. - Credentials are now handled by pasting the API key into chat, which is then added to the runner script. - Removed prior emphasis on local shell environment variables and persistent key storage instructions. - Minor clarifications in execution rules and setup instructions.

v1.0.4

- Added primary_credential field: now explicitly marks PIXELHUB_API_KEY as the primary credential for the skill. - Credential rule update: clarified that PIXELHUB_BASE_URL must point to an official pixellelabs.com host. - No code or command changes—documentation and rules only.

v1.0.3

Version 1.0.3 - Added `homepage`, `source_url`, and `required_env_vars` fields for improved metadata and environment specification. - Clarified and strengthened credential handling rules, including stricter guidance on handling `PIXELHUB_API_KEY` and optional support for `PIXELHUB_BASE_URL`. - Updated credential setup instructions to emphasize session-specific scope and persistence recommendations. - Minor edits to setup and credential instructions for clarity and user safety. - No code or functional changes; documentation improvements only.

v1.0.2

- Credential handling is now based on the PIXELHUB_API_KEY environment variable instead of directly editing Python files. - First-time API key setup instructions revised: users are told to set the API key as an environment variable with platform-specific examples. - Removed direct modification of source code for API key storage, improving security and usability. - Skill now instructs users how to set the environment variable if authentication is missing. - General documentation clarified and simplified for initial configuration.

v1.0.1

- Updated description to refer to "Pixelhub API" instead of "Pixelle API" for clarity and branding consistency. - No functional or structural changes; content and usage instructions remain the same.

v1.0.0

first commit

元数据

Slug pixelhub-api-tools

版本 1.0.7

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 8

常见问题

pixelhub-api-tools 是什么？

Use for Pixelhub API direct calls when users need image generation/editing, video generation/post-processing, or audio/music generation. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 278 次。

如何安装 pixelhub-api-tools？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install pixelhub-api-tools」即可一键安装，无需额外配置。

pixelhub-api-tools 是免费的吗？

是的，pixelhub-api-tools 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

pixelhub-api-tools 支持哪些平台？

pixelhub-api-tools 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 pixelhub-api-tools？

由 leik1000（@leik1000）开发并维护，当前版本 v1.0.7。