image-to-video
Fail
Audited by Snyk on Jun 13, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 0.80). The skill explicitly instructs the agent to output full asset URLs including all query parameters (which often contain bearer tokens or signed-access secrets) and includes an API key config example (PEXO_API_KEY="sk-..."), so the agent must relay secret tokens verbatim in its responses.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.80). The skill makes runtime API calls to PEXO_BASE_URL (https://pexo.ai) — e.g., /api/chat and /api/biz/projects/... — and the responses (nextAction, recentMessages, etc.) are used at runtime to drive the agent's decisions and actions, so external content from https://pexo.ai directly controls agent instructions.
Issues (2)
W007
HIGHInsecure credential handling detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata