Audit History

Evaluated 534 static security detections across 13 files. All findings are legitimate API client patterns. External commands are standard shell scripting for CLI tool integration. Network access is limited to Pexo API (https://pexo.ai). Environment and file access is for configuration and asset handling. The critical heuristic warning (code execution + network + credentials) is a false positive - this is a normal API client pattern. No malicious behavior detected.

This is a legitimate video generation API client for Pexo AI. Static analysis flagged 534 potential issues, but evaluation reveals these are primarily false positives. Shell commands are standard API operations (curl, jq). File access is limited to user-provided assets and standard config locations. No evidence of malicious intent, data exfiltration, or code injection. The skill follows safe patterns for API client implementations.

All static findings are false positives from documentation and shell scripts. The skill uses legitimate bash commands for API calls to a known video service (pexo.ai). External commands execute standard tools (curl, jq) with hardcoded arguments - no user input injection. Environment variables access only reads configuration (API keys) for the service. File operations are limited to config directories in user home. This is a legitimate client library for video creation, not malware.

Static analysis detected 534 patterns across 13 files, all evaluated as false positives. The skill is a legitimate video production API client that uses standard bash tooling (curl, jq) to communicate with Pexo.ai services. External commands are network requests to authenticated API endpoints. Filesystem access is limited to config storage and temp files. Environment variable access is for API key storage. No malicious intent or security risks identified.

Evaluated 534 static patterns across 13 files. All findings are false positives from a legitimate video production API client. The CRITICAL 'Windows SAM database' alert triggered on the word 'SAME' in SKILL.md:43 (a language instruction). Obfuscation heuristics fired due to the expected combination of network, filesystem, and credential access in a CLI tool. Shell scripts use standard command substitution for curl, jq, and mktemp. They read documented API keys from ~/.pexo/config, make HTTPS calls to pexo.ai, and access temp directories for uploads. No malicious intent, data exfiltration, or injection vulnerabilities found.

Static analysis detected 534 patterns across shell scripts and documentation. After manual review, all findings are FALSE POSITIVES. Shell command patterns are legitimate API operations to pexo.ai service. Environment variables access standard config files for API keys. Documentation files contain instructional examples. No malicious intent or security vulnerabilities confirmed.

The pexoai-agent skill is a legitimate video production integration tool. It executes shell scripts to interact with the Pexo AI video generation API. The static analyzer flagged numerous patterns (external commands, network access, environment variables) but these are all expected behavior for an API integration skill. The 'CRITICAL' heuristic warnings (Windows SAM database, dangerous combination) are false positives. No malicious intent was confirmed after evaluating the codebase semantics.

Security evaluation confirms this is a legitimate video production API integration skill. The static analyzer flagged 534 potential issues, but evaluation reveals these are false positives. The skill uses standard shell scripting for API communication with pexo.ai. All network requests target the verified pexo.ai endpoint. No evidence of credential exfiltration or malicious code. The CRITICAL "Windows SAM database" flag is a false positive (scanner detected "SAME" substring in "SAME language"). The high volume of external_commands flags is expected for an API client tool. Publishing is safe with appropriate documentation.

Static analysis detected 534 potential security issues across shell scripts and documentation. After manual review, all findings are false positives from legitimate functionality: shell command examples in documentation (SETUP-CHECKLIST.md, TROUBLESHOOTING.md), standard API operations using curl/jq, config file access (~/.pexo/config) for credential storage, and network requests to official Pexo.ai endpoints. The skill is a legitimate video production tool with no malicious patterns detected.

Static analysis flagged 534 patterns across 13 files, yielding a risk score of 100/100. After semantic evaluation, all findings are confirmed as false positives. The skill is a legitimate API client for the Pexo video platform. Shell command substitution patterns are standard bash scripting for API interaction. Network URLs all point to pexo.ai (the documented service). Filesystem access targets ~/.pexo/config (the documented configuration path). Environment variable access reads user-provided PEXO_API_KEY and PEXO_BASE_URL for authentication. No prompt injection, data exfiltration, or malicious intent was detected. The only risk is plaintext storage of API credentials in a local config file, which is standard practice for this type of tool.

The static analyzer detected 534 patterns across 13 files (2110 lines) with a risk score of 100/100. After semantic evaluation, all findings are confirmed as FALSE POSITIVES. The skill is a legitimate CLI client for the Pexo AI video platform. Shell commands (curl, jq, mktemp, stat) are standard CLI tooling. Network requests target only the configured PEXO_BASE_URL (default: pexo.ai). File access is limited to the skill's own config directory (~/.pexo/config) and temp files. Environment variable access reads only documented PEXO_API_KEY and PEXO_BASE_URL. No prompt injection, credential exfiltration, data exfiltration, or malicious behavior was detected. The skill acts as a relay between the user and Pexo's backend API.

This skill is an API client for the Pexo AI video platform. Static analysis detected 534 potential security patterns across 13 files, but the majority are false positives reflecting standard CLI tool behavior. The skill uses shell scripts to make authenticated HTTP requests, read local configuration, and manage temporary files. Detected patterns (external commands, network calls, filesystem access, environment variable reads) are all expected for an API client skill. Weak cryptographic algorithms (MD5/SHA1) are used for file checksums, which is low-risk in this context. No credential exfiltration, unauthorized network access, or malicious patterns were found after manual evaluation.

This skill is a legitimate AI video production CLI tool that interacts with the Pexo API. The static analyzer flagged 534 patterns across 13 files, but most are false positives from standard shell scripting conventions. All network requests target the declared Pexo API endpoint (pexo.ai). Shell commands use safe argument construction via jq --arg (no injection vectors). The credential handling follows standard API key patterns. No malicious behavior, data exfiltration, or unauthorized access was found. Users should be aware the skill requires network access to an external API, stores API keys in a local config file, and executes shell scripts.

Static analysis flagged 534 patterns across 13 files, but evaluation confirms these are FALSE POSITIVES. The skill is a legitimate CLI tool for the Pexo AI video platform. Shell command substitution patterns are standard bash scripting for API calls to pexo.ai. Environment variable access (PEXO_API_KEY, PEXO_BASE_URL) is documented authentication. Filesystem access targets the skill's own config directory (~/.pexo/). Network calls go exclusively to the official Pexo API. No malicious patterns, credential exfiltration, or command injection vectors detected.

Static analyzer flagged 534 patterns across 13 files, but evaluation confirms these are FALSE POSITIVES. Shell command substitution patterns are standard bash scripting (date, stat, basename, jq). Network URLs point to official pexo.ai service. Hidden file access (~/.pexo/config) is standard configuration storage. Environment variable access (PEXO_API_KEY, PEXO_BASE_URL) is expected for API client tools. No malicious intent, credential exfiltration, or suspicious behavior detected. The skill is a legitimate video production agent.

All 534 static analysis findings are FALSE POSITIVES. The skill is a legitimate CLI tool for AI video production. Shell command substitutions, config file access, and API key handling are standard patterns for bash-based CLI tools. Network requests go only to the legitimate pexo.ai service. No malicious patterns, credential exfiltration, or code injection vulnerabilities detected.

Static analyzer flagged 534 patterns but most are FALSE POSITIVES. Shell command substitution $(...) is standard bash syntax, not Ruby backticks. Network calls target legitimate pexo.ai API. Config storage at ~/.pexo/ is standard practice. One weak crypto finding (MD5 for non-security IDs) and standard API key handling warrant low risk classification. No malicious intent detected.

Static analysis detected 534 patterns across 13 files. Most findings are FALSE POSITIVES: shell command substitution patterns are standard bash scripting, hidden file access targets ~/.pexo/config for credential storage (documented requirement), and network URLs point to the legitimate pexo.ai service. The skill is a transparent API client with no evidence of malicious behavior, data exfiltration, or hidden functionality. Risk is elevated to 'low' (not 'safe') due to shell script execution requiring user trust.

Static analysis flagged 534 patterns across 13 files with risk score 100/100. After semantic evaluation, all findings are FALSE POSITIVES representing legitimate shell automation patterns. The skill is an API client for Pexo video service using standard bash scripting. Shell command substitution, network requests to pexo.ai, config file access (~/.pexo/config), and environment variable usage (PEXO_API_KEY) are all expected behaviors for this type of tool. No malicious patterns, credential exfiltration, or prompt injection detected.

Static scanner flagged 534 patterns but all are false positives. The skill is a legitimate video production API client. Shell command substitution is standard bash scripting for curl/jq operations. Network calls go only to pexo.ai (the service's own API). Config file access and environment variables are expected for API authentication. No malicious intent, data exfiltration, or dangerous patterns detected.

This skill is a legitimate AI video production integration tool. Static analysis flagged 534 patterns across 13 files, but most are false positives. The scripts use standard bash patterns (command substitution, config file access) for legitimate purposes: API integration with pexo.ai, file uploads, and project management. No malicious intent detected. The critical finding about 'Windows SAM database' is a false positive - the referenced line discusses language settings, not credential access. Risk factors are expected for an API client that reads configuration, makes network requests, and handles file uploads.

Static analysis flagged 534 patterns across shell scripts and documentation files. All findings are FALSE POSITIVEs - legitimate DevOps patterns for API-driven video production. Shell command substitution is standard bash scripting for curl/jq operations. Environment variable access is for user-provided API keys stored in ~/.pexo/config. Network calls target only pexo.ai domain. No command injection, credential exfiltration, or malicious patterns detected.

Static analysis flagged 492 patterns inherent to bash scripting. All findings evaluated as FALSE_POSITIVES. The skill is a legitimate CLI wrapper for the Pexo AI video API. Shell command substitution is standard bash syntax for capturing command output, not code injection. Network requests target the configured Pexo API endpoint (pexo.ai) for video generation. Config file storage (~/.pexo/config) follows CLI best practices for API credentials. The only risk factor is standard CLI tool behavior: local script execution, credential storage, and API communication.

Community skill for AI video production via Pexo API. Static analysis flagged 492 patterns (risk score 100) but most are false positives for legitimate shell scripting. Confirmed risks: requires PEXO_API_KEY environment variable, makes HTTPS requests to pexo.ai, uses shell scripts with command substitution for API orchestration. No malicious intent detected - all network calls go to documented Pexo endpoints, credential handling follows standard patterns, and file operations are limited to temp directories for API requests.

Static analysis detected 492 potential issues across 11 files (1910 lines). After evaluation, all findings are false positives. The skill is a legitimate API client for Pexo video creation service. Shell command usage, network access, and credential handling are all expected functionality for an API client tool. MD5 usage is in documentation context only. No malicious intent, credential exfiltration, or unauthorized operations detected.

This skill is a legitimate video creation tool. The static analyzer detected shell commands, network requests, and credential access, but these are expected behaviors for an API-integrated tool. The skill uses shell scripts to communicate with the Pexo API service for video generation. No malicious intent or prompt injection detected.

This skill is a legitimate AI video production API client. Static analyzer flagged 492 patterns across 11 files, but all are false positives. Shell command substitutions are standard scripting patterns for legitimate operations like timestamps and string processing. Network access targets the official pexo.ai API. Config file access (~/.pexo/config) stores user API credentials. Environment variables (PEXO_API_KEY, PEXO_BASE_URL) are required for API authentication. No malicious patterns, credential exfiltration, or code injection risks detected.

Static analysis flagged 492 potential issues, but evaluation determined all are false positives. The skill uses standard shell scripting patterns (command substitution, temp files) for legitimate CLI operations. Network access is limited to the Pexo API endpoint (https://pexo.ai). Environment variable access is for API authentication (PEXO_API_KEY) required for the service. No malicious behavior, data exfiltration, or harmful operations detected.

Legitimate video creation API client skill. All detected patterns are expected for an API wrapper: external commands execute curl/jq for HTTP requests, network access connects to pexo.ai API, filesystem access manages config in ~/.pexo/config and temp files, environment variables store API credentials. Shell scripts use command substitution but with hardcoded arguments - no user input injection vectors found. The 'weak cryptography' findings are MD5 usage in a troubleshooting diagnostic script, which is acceptable for non-security checksums. No malicious intent detected.

Legitimate API client skill for Pexo AI video service. Static analyzer flagged 492 pattern matches across 11 files, but all findings are FALSE POSITIVE - expected patterns in bash-based CLI tools. The skill requires API credentials (PEXO_API_KEY), makes network calls to pexo.ai, uses shell scripts for automation, and stores config in ~/.pexo/config. These are documented, expected behaviors for an API integration skill. No malicious patterns, command injection, credential exfiltration, or data leakage detected.

Static analysis flagged 492 patterns across 11 files (1910 lines), but all findings are FALSE POSITIVES for a legitimate API client skill. External commands are standard bash patterns with hardcoded/validated arguments. Network calls go to documented pexo.ai endpoints. Filesystem access uses standard config locations (~/.pexo/config) with proper temp file cleanup. Environment variable access (PEXO_API_KEY, PEXO_BASE_URL) is expected for API authentication. No prompt injection, credential exfiltration, or command injection vulnerabilities detected.

Legitimate video production tool for Pexo.ai service. Static scanner detected 492 patterns, but evaluation confirms all are false positives or expected behavior for an API-based video generation tool. External commands are shell script operations, environment access is for API authentication (PEXO_API_KEY, PEXO_BASE_URL), filesystem access is for config and temp files, and network requests go only to official pexo.ai endpoints. No malicious intent, data exfiltration, or suspicious patterns found.

This is a legitimate AI video generation CLI tool. All 492 static findings are legitimate tooling patterns: shell commands for CLI operations, network access to pexo.ai API only, filesystem access for config storage, and API key access for authentication. The skill implements proper security practices including API key masking in diagnostics and temporary file isolation via mktemp.