Launch Video

Security checks across malware telemetry and agentic risk

Overview

This skill is a purpose-aligned Pexo video-generation wrapper, but users should understand their prompts and uploaded media are processed by Pexo’s hosted service.

Install only if you are comfortable sending product briefs, screenshots, URLs, and media files to Pexo for remote processing. Store the PEXO_API_KEY carefully in ~/.pexo/config, avoid uploading secrets or sensitive internal content, and remember that creating projects may consume Pexo credits.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs the agent to relay the user's request verbatim and upload provided files to a hosted Pexo backend, but it does not prominently warn that prompts, URLs, screenshots, and other media are transmitted to an external third-party service. Users may disclose confidential product plans, credentials in screenshots, or proprietary media without realizing that data leaves the local environment and is stored/processed remotely.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal