The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill requires the @runcomfy/cli package from the NPM registry to function. This is a standard dependency for skills that interface with external cloud services via their native tools.
[COMMAND_EXECUTION]: The skill invokes the runcomfy command-line tool to process image-to-video requests. It utilizes structured JSON input within the CLI arguments, which is a security best practice that prevents shell injection by avoiding direct shell expansion of user-provided prompts and URLs.
[CREDENTIALS_UNSAFE]: Handles service authentication via the RUNCOMFY_TOKEN environment variable or a local configuration file. The documentation explicitly mentions secure file handling (permissions mode 0600) and provides instructions for managing tokens safely in development and CI/CD environments.
[DATA_EXFILTRATION]: Network operations are restricted to the vendor's official domains (runcomfy.net and runcomfy.com) for request processing and downloading generated assets. No unauthorized exfiltration or suspicious network patterns were identified.
[PROMPT_INJECTION]: The instructions are designed to pick appropriate generation models based on intent and do not contain any instructions attempting to bypass safety filters, extract system prompts, or override the agent's core operational logic.
[SAFE]: Analysis of the skill body, metadata, and execution flow confirms that it follows intended functionality without any detected obfuscation, persistence mechanisms, or malicious triggers.

image-to-video