Skills
skills/doany-ai/skills/image-inpainting/Gen Agent Trust Hub

image-inpainting

Pass

Audited by Gen Agent Trust Hub on May 18, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructs the installation of the @runcomfy/cli package from the public npm registry to enable interaction with the RunComfy API.
  • [COMMAND_EXECUTION]: The skill uses the Bash(runcomfy *) tool to execute local CLI commands for authentication and image processing.
  • [SAFE]: Analysis of indirect prompt injection vulnerability surfaces: 1. Ingestion points: External image and mask URLs are ingested as parameters in SKILL.md for processing by the CLI. 2. Boundary markers: The skill documentation includes safety guidelines for agents, recommending that only user-explicitly provided URLs be processed. 3. Capability inventory: Capabilities are restricted to the runcomfy command line tool for API requests and local directory output. 4. Sanitization: Input content provided via the --input flag is processed as a JSON string, and the documentation notes that the CLI does not perform shell expansion on the content.
Audit Metadata
Risk Level
SAFE
Analyzed
May 18, 2026, 02:23 PM