text-to-video
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local shell scripts to manage project lifecycle, file uploads, and status polling. These scripts use
curlandjqto interact with the Pexo API in a secure manner. - [DATA_EXFILTRATION]: User-provided prompts and media files are uploaded to the vendor's domain (
pexo.ai) for processing. This is the primary and documented function of the skill and does not constitute unauthorized exfiltration. - [CREDENTIALS_UNSAFE]: The skill manages a vendor API key (
PEXO_API_KEY) stored in a configuration file at~/.pexo/config. This is a standard practice for CLI-based tools, and the scripts include diagnostic tools to verify key validity. - [EXTERNAL_DOWNLOADS]: The skill downloads generated video assets from signed URLs provided by the Pexo API. These assets are cached locally in
~/.pexo/tmp/for delivery to the user. - [SAFE]: No malicious patterns, obfuscation, or unauthorized access to sensitive system files were detected. The skill instructions accurately reflect its technical implementation and target only the official vendor infrastructure.
Audit Metadata