image-inpainting
Pass
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill references the installation of the
@runcomfy/clipackage from the npm registry. This is the official command-line tool provided by the vendor (runcomfy-com) and is used for its intended purpose. - [COMMAND_EXECUTION]: The skill performs image inpainting by executing the
runcomfyCLI tool. It uses a structured JSON format for inputs (--input) to define prompts and image URLs, which effectively prevents shell injection vulnerabilities. - [PROMPT_INJECTION]: The skill identifies a potential surface for indirect prompt injection, as it processes untrusted image and mask URLs. However, it includes proactive security documentation advising agents to only use user-provided URLs and to monitor for unexpected outputs, which aligns with security best practices for AI agent skills.
Audit Metadata