Pexo AI Video Agent
PassAudited by ClawScan on May 13, 2026.
Overview
The skill appears to be a legitimate Pexo video-generation helper, but it requires a Pexo API key and can upload user-selected media to Pexo, with minor setup/provenance transparency issues.
Install only if you intend to use Pexo for video generation. Verify PEXO_BASE_URL is the trusted Pexo endpoint, protect and rotate your API key as needed, keep ~/.pexo/config secure, and upload only files you are comfortable sharing with the provider.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who obtains the configured API key could use whatever Pexo permissions that key grants.
The helpers use PEXO_API_KEY as a Bearer token for Pexo API calls. This is disclosed and purpose-aligned, but it is still account-level credential use.
_pexo_auth_header() { printf 'Authorization: Bearer %s' "$PEXO_API_KEY"; }Use a revocable Pexo API key, keep ~/.pexo/config private, and rotate the key if it is exposed.
Files selected for upload may leave the local machine and be processed by Pexo or its storage backend.
The upload helper sends a user-selected local file to an upload URL returned by the Pexo API. This is expected for reference images/video/audio, but it is an external data transfer.
curl -sS -X PUT -H "Content-Type: $mime_type" -T "$file_path" "$upload_url"
Upload only media intended for the video project, and avoid including private or sensitive files unless you trust Pexo to process them.
If the config file or PEXO_CONFIG path is tampered with, running a Pexo helper could execute unwanted local shell commands.
The config file is shell-sourced rather than parsed as data, so commands placed in that file would run whenever a helper script starts. This is common shell-config behavior but worth noticing.
_PEXO_CONFIG="${PEXO_CONFIG:-$HOME/.pexo/config}"; [[ -f "$_PEXO_CONFIG" ]] && source "$_PEXO_CONFIG"Keep the config file to simple variable assignments, restrict its permissions, and do not point PEXO_CONFIG at untrusted files.
Users may not see all setup requirements or provenance information from the registry metadata alone.
Registry-level metadata does not declare the API key, base URL, or runtime tools that SKILL.md and the scripts require. This is an under-declaration/package-coherence issue rather than evidence of malicious behavior.
Source: unknown; Homepage: none; Required env vars: none; Primary credential: none; No install spec
Verify the Pexo homepage/repository independently and ensure curl, jq, file, PEXO_BASE_URL, and PEXO_API_KEY are intentionally configured before use.