ace-step
Pass
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [SAFE]: The skill follows established security best practices, including declaring a restricted tool scope
Bash(runcomfy *)and providing a dedicated 'Security & Privacy' section that acknowledges and addresses potential risks like shell injection and indirect prompt injection. - [EXTERNAL_DOWNLOADS]: The skill requires the
@runcomfy/clipackage from the official NPM registry for its operation. It also fetches audio files from user-provided HTTPS URLs for inpainting and outpainting tasks. - [COMMAND_EXECUTION]: The skill executes the
runcomfyCLI tool to interact with the RunComfy API. The instructions specify that input is passed as a JSON string to the CLI to mitigate shell injection risks. - [CREDENTIALS_UNSAFE]: The skill manages authentication via an API token (
RUNCOMFY_TOKEN), which is handled by the vendor's CLI tool. The documentation provides clear instructions for secure token management in various environments.
Audit Metadata