pixverse
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the 'pixverse' package from the NPM registry (
npm install -g pixverse). This is a legitimate vendor resource used to provide the core functionality of the skill. - [COMMAND_EXECUTION]: The skill extensively uses shell commands to interact with the PixVerse API. This includes operations for authentication, content generation (video and image), task polling, and asset management. The use of 'jq' for parsing JSON output from these commands is a standard practice for structured data handling in agent workflows.
- [CREDENTIALS_UNSAFE]: Authentication is handled via an OAuth device flow, and access tokens are stored locally in the '~/.pixverse/' directory. The skill also supports overriding the token via the 'PIXVERSE_TOKEN' environment variable. These are standard implementation patterns for CLI tool authentication persistence.
- [DATA_EXFILTRATION]: The skill includes functionality to upload local image files to the PixVerse API for image-to-video or image-to-image tasks. This is a primary feature of the tool and operates over the vendor's official infrastructure.
Audit Metadata