The Agent Skills Directory

[SAFE]: The skill utilizes the vendor's own official package '@runcomfy/cli' for video processing tasks. Package installation and execution via 'npm' or 'npx' are performed using standard, non-malicious methods.
[SAFE]: Network activity is restricted to the service provider's own infrastructure (*.runcomfy.net and *.runcomfy.com), which is consistent with the skill's stated purpose of interacting with the RunComfy API.
[SAFE]: Credential management instructions follow security best practices by advising the use of environment variables (RUNCOMFY_TOKEN) or local configuration files with restricted permissions (0600), rather than hardcoding sensitive data.
[SAFE]: The skill maintains an indirect prompt injection surface by processing external video URLs and user prompts. However, it implements boundary markers by encapsulating these inputs within a JSON string for the CLI, which mitigates shell injection risks.
Ingestion points: 'video_url' and 'prompt' fields within the '--input' JSON argument in SKILL.md.
Boundary markers: Use of single-quoted JSON strings to prevent shell expansion of untrusted content.
Capability inventory: The 'runcomfy' CLI tool executes network requests to model endpoints and writes output files to a specified directory.
Sanitization: Content is handled as structured data by the underlying CLI tool rather than being directly interpreted by a shell.

video-inpainting