explainer-video

Pass

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill utilizes several shell scripts that execute local commands such as curl, jq, and file to interact with the Pexo API and manage local files.
  • [EXTERNAL_DOWNLOADS]: The pexo-asset-get.sh script downloads generated media assets from signed URLs provided by the Pexo backend (https://pexo.ai) into a local temporary directory.
  • [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface as it relays user-provided text verbatim to the remote Pexo agent. However, the skill mitigates technical injection risks by using jq to properly sanitize and encapsulate user input within JSON payloads before transmission.
  • [CREDENTIALS_UNSAFE]: While the skill manages an API key (PEXO_API_KEY), it correctly instructs the user to store this sensitive information in a local configuration file (~/.pexo/config) rather than hardcoding it into the skill's source code.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 13, 2026, 04:14 AM
Security Audit — agent-trust-hub — explainer-video