video-ad
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill operates as a transparent relay to the Pexo API. All sensitive operations, such as asset uploads and project management, are performed using standard shell utilities (
curl,jq) directed at the official vendor domain (pexo.ai). - [COMMAND_EXECUTION]: The skill utilizes a suite of local helper scripts to manage its workflow. These scripts are implemented with proper error handling and input validation (e.g., checking file existence and media types before processing).
- [EXTERNAL_DOWNLOADS]: The skill retrieves generated media files from signed URLs provided by the backend. Files are stored in a designated local temporary directory (
~/.pexo/tmp/). - [CREDENTIALS_UNSAFE]: The skill correctly manages user credentials by reading them from a configuration file (
~/.pexo/config) rather than using hardcoded values. Documentation provides clear instructions for users to manage their own API keys. - [PROMPT_INJECTION]: The static analysis flag regarding instruction concealment was determined to be a false positive. The referenced documentation simply describes standard error reporting behavior (printing JSON to stderr), which is routine for CLI-based tools and does not constitute a security risk.
Audit Metadata