text-to-video

Pass

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes local shell scripts to manage project lifecycle, file uploads, and status polling. These scripts use curl and jq to interact with the Pexo API in a secure manner.
  • [DATA_EXFILTRATION]: User-provided prompts and media files are uploaded to the vendor's domain (pexo.ai) for processing. This is the primary and documented function of the skill and does not constitute unauthorized exfiltration.
  • [CREDENTIALS_UNSAFE]: The skill manages a vendor API key (PEXO_API_KEY) stored in a configuration file at ~/.pexo/config. This is a standard practice for CLI-based tools, and the scripts include diagnostic tools to verify key validity.
  • [EXTERNAL_DOWNLOADS]: The skill downloads generated video assets from signed URLs provided by the Pexo API. These assets are cached locally in ~/.pexo/tmp/ for delivery to the user.
  • [SAFE]: No malicious patterns, obfuscation, or unauthorized access to sensitive system files were detected. The skill instructions accurately reflect its technical implementation and target only the official vendor infrastructure.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 13, 2026, 04:14 AM
Security Audit — agent-trust-hub — text-to-video