Skills
skills/quinteroac/comfy-agent-tools/comfy-model-onboarding/Gen Agent Trust Hub

comfy-model-onboarding

Pass

Audited by Gen Agent Trust Hub on May 8, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill directs the agent to use local CLI tools like comfy-models and comfy-imagegen, alongside standard filesystem commands like ls and find, to manage model profiles and verify their functionality.\n- [EXTERNAL_DOWNLOADS]: The skill references comfy-model-downloader to retrieve missing model files required for the supported profiles.\n- [PROMPT_INJECTION]: The skill processes data from the local filesystem, such as directory listings and file metadata, which creates a surface for indirect prompt injection.\n
  • Ingestion points: The agent reads file names and safetensors metadata from the model directory (SKILL.md).\n
  • Boundary markers: No specific delimiters are used to separate external file data from the agent's instructions.\n
  • Capability inventory: The agent can modify local configurations and execute various system tools.\n
  • Sanitization: There is no mention of sanitizing or validating the content read from file metadata.
Audit Metadata
Risk Level
SAFE
Analyzed
May 8, 2026, 12:13 AM
Security Audit — agent-trust-hub — comfy-model-onboarding