launch-video

Pass

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill utilizes a suite of shell scripts to interact with the Pexo API. These scripts are well-defined, perform local validation (e.g., checking file extensions and sizes), and use standard tools like curl and jq for network requests and data parsing.
  • [CREDENTIALS_UNSAFE]: The skill manages authentication via an API key (PEXO_API_KEY) stored in ~/.pexo/config. This is a standard and recommended practice for CLI-based tools. The pexo-doctor.sh script specifically includes a mask_secret function to prevent the full key from being printed to the console during diagnostics.
  • [DATA_EXFILTRATION]: Communication is restricted to the vendor's official domain (pexo.ai) for the purpose of processing video requests. The skill transmits user-provided project briefs and media files to the backend, which is its primary intended function.
  • [PROMPT_INJECTION]: Static analysis flagged a potential concealment pattern in the troubleshooting documentation. However, review confirms this is a benign instruction advising the agent to distinguish between 'Internal Server Errors' and 'Invalid API Keys' to provide better user guidance, rather than an attempt to hide malicious activity.
  • [EXTERNAL_DOWNLOADS]: The pexo-asset-get.sh script downloads generated video assets from signed URLs provided by the Pexo API to a local temporary directory (~/.pexo/tmp/). These are standard operations for a media generation service.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 13, 2026, 04:14 AM
Security Audit — agent-trust-hub — launch-video