Pexo — agentic threat model

Pexo utilizes multi-model intelligence, dynamically selecting from third-party foundation models like Seedance, Sora, and Kling. This exposes the agent to upstream model vulnerabilities, including adversarial prompt injection that could bypass safety filters of the underlying video generation models.

Not certain from the listing — Pexo pulls references and suggests creative directions, which suggests it may query external databases or search engines. This introduces risks of data poisoning or intellectual property exfiltration if user-provided assets are ingested into training or reference pipelines.

The agent framework orchestrates a non-linear workflow, managing state across scene selection, model routing, and rendering. Vulnerabilities in this orchestration layer could allow attackers to manipulate the model-selection logic or inject malicious instructions into the video generation pipeline.

Not certain from the listing — Pexo likely runs on cloud infrastructure to handle heavy video rendering and API orchestration. Security risks include insecure API key storage for third-party video models and potential container escape vulnerabilities during rendering tasks.

Pexo features a 'Preview Before Production' workflow, acting as a human-in-the-loop guardrail. However, there is no mention of automated content moderation or deepfake detection tools to prevent the generation of harmful or copyrighted video content.

Not certain from the listing — As a free, closed-source tool, there is no public evidence of compliance certifications (e.g., SOC2, GDPR) or robust access control policies governing how user data and generated videos are stored and protected.

Pexo integrates directly with enterprise messaging ecosystems like Slack, Lark, and WhatsApp. If compromised, the agent could be used as a vector for social engineering, phishing, or unauthorized data harvesting within corporate communication channels.