Skills
skills/runcomfy-com/skills/ai-music/Gen Agent Trust Hub

ai-music

Pass

Audited by Gen Agent Trust Hub on May 18, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill contains an attack surface for indirect prompt injection via the processing of external audio files.
  • Ingestion points: The audio parameter in the JSON input for the acestep-ai/ace-step/audio-inpaint and acestep-ai/ace-step/audio-outpaint endpoints in SKILL.md.
  • Boundary markers: Absent. While the skill uses structured JSON for parameters, it lacks specific delimiters or "ignore embedded instructions" warnings for the processed audio data.
  • Capability inventory: The skill invokes the runcomfy CLI through the Bash tool to perform remote music generation and editing operations.
  • Sanitization: Present. The "Security & Privacy" section provides explicit guidance for agents to only ingest user-provided URLs and to monitor for output divergence, representing a security-aware implementation.
  • [COMMAND_EXECUTION]: The skill is configured to execute the vendor's command-line interface tool to perform its primary tasks.
  • Evidence: The YAML frontmatter in SKILL.md defines allowed-tools: Bash(runcomfy *) to enable the generation and editing routes described in the instructions.
Audit Metadata
Risk Level
SAFE
Analyzed
May 18, 2026, 01:31 PM