explainer-video
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes several shell scripts that execute local commands such as
curl,jq, andfileto interact with the Pexo API and manage local files. - [EXTERNAL_DOWNLOADS]: The
pexo-asset-get.shscript downloads generated media assets from signed URLs provided by the Pexo backend (https://pexo.ai) into a local temporary directory. - [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface as it relays user-provided text verbatim to the remote Pexo agent. However, the skill mitigates technical injection risks by using
jqto properly sanitize and encapsulate user input within JSON payloads before transmission. - [CREDENTIALS_UNSAFE]: While the skill manages an API key (
PEXO_API_KEY), it correctly instructs the user to store this sensitive information in a local configuration file (~/.pexo/config) rather than hardcoding it into the skill's source code.
Audit Metadata