The Agent Skills Directory

[SAFE]: No malicious patterns, obfuscation, or unauthorized data access were found within the skill instructions or associated commands.\n- [COMMAND_EXECUTION]: The skill facilitates the use of the runcomfy CLI to run AI music models. Use of the runcomfy command is explicitly authorized and scoped within the skill's manifest via the allowed-tools configuration.\n- [EXTERNAL_DOWNLOADS]: The skill provides instructions to install the @runcomfy/cli from the official NPM registry and references its own repository on GitHub, which are standard and appropriate for the skill's intended function.\n- [CREDENTIALS_UNSAFE]: Security best practices for managing API tokens are provided, including the use of environment variables (RUNCOMFY_TOKEN) and secure local storage (~/.config/runcomfy/token.json) with restricted permissions (mode 0600). The skill explicitly warns against leaking or logging these credentials.\n- [PROMPT_INJECTION]: The skill identifies the potential for indirect prompt injection from user-provided audio files or lyrics. It provides a mandatory evidence chain for the agent, noting that untrusted data enters via audio URLs or lyrics, but is passed via a JSON boundary (--input) and includes instructions for the agent to only ingest user-provided content and monitor for output deviations as a sanitization measure.

ai-music