product-video

Pass

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [SAFE]: No malicious patterns, obfuscation, or unauthorized access attempts were detected. The skill's code and instructions are consistent with its stated purpose as a service integration.
  • [COMMAND_EXECUTION]: The skill utilizes several Bash scripts to interface with the Pexo API. These scripts are transparent, well-documented, and use standard utilities to perform their tasks.
  • [DATA_EXFILTRATION]: Communication is directed to the vendor's API at https://pexo.ai. The skill handles user-provided API keys via a local configuration file (~/.pexo/config) and includes mechanisms to verify connectivity and authentication safely.
  • [PROMPT_INJECTION]: The skill instructs the agent to relay user messages verbatim to the backend service, which creates a surface for indirect prompt injection.
  • Ingestion points: User-provided product descriptions and video instructions are passed directly to the pexo-chat.sh script.
  • Boundary markers: The instructions do not define specific delimiters or "ignore previous instructions" guards for the relayed content.
  • Capability inventory: The skill can execute local scripts that perform network operations and read/write to the skill's local state directory.
  • Sanitization: The scripts perform local syntax validation for asset tags but do not filter or sanitize the natural language content of user messages.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 13, 2026, 04:14 AM
Security Audit — agent-trust-hub — product-video