elevenlabs-music-generation
Pass
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
runcomfyCLI to execute music generation tasks. Access to this tool is properly scoped within the skill's configuration to prevent unauthorized command execution. - [EXTERNAL_DOWNLOADS]: The skill recommends installing the
@runcomfy/clipackage from the official NPM registry, which is a well-known service for package distribution. - [PROMPT_INJECTION]: The skill has an indirect prompt injection surface as it processes user-defined prompts for music style and lyrics.
- Ingestion points: User data enters via the
promptfield within the JSON input provided to the CLI. - Boundary markers: Untrusted input is encapsulated in a JSON object and passed as a single-quoted string to the shell command.
- Capability inventory: The skill uses the
runcomfy runcommand to communicate with external APIs and download generated audio files. - Sanitization: The documentation states the CLI does not perform shell expansion on the prompt content, effectively mitigating command injection risks from user data.
Audit Metadata