launch-video
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes a suite of shell scripts to interact with the Pexo API. These scripts are well-defined, perform local validation (e.g., checking file extensions and sizes), and use standard tools like
curlandjqfor network requests and data parsing. - [CREDENTIALS_UNSAFE]: The skill manages authentication via an API key (
PEXO_API_KEY) stored in~/.pexo/config. This is a standard and recommended practice for CLI-based tools. Thepexo-doctor.shscript specifically includes amask_secretfunction to prevent the full key from being printed to the console during diagnostics. - [DATA_EXFILTRATION]: Communication is restricted to the vendor's official domain (
pexo.ai) for the purpose of processing video requests. The skill transmits user-provided project briefs and media files to the backend, which is its primary intended function. - [PROMPT_INJECTION]: Static analysis flagged a potential concealment pattern in the troubleshooting documentation. However, review confirms this is a benign instruction advising the agent to distinguish between 'Internal Server Errors' and 'Invalid API Keys' to provide better user guidance, rather than an attempt to hide malicious activity.
- [EXTERNAL_DOWNLOADS]: The
pexo-asset-get.shscript downloads generated video assets from signed URLs provided by the Pexo API to a local temporary directory (~/.pexo/tmp/). These are standard operations for a media generation service.
Audit Metadata