image-outpainting
Pass
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill references the official vendor CLI package for installation.
- Evidence: Recommends
npm i -g @runcomfy/cliornpx -y @runcomfy/clifor accessing outpainting features. - [COMMAND_EXECUTION]: Tool access is strictly limited to the vendor's command-line interface.
- Evidence: The YAML frontmatter defines
allowed-tools: Bash(runcomfy *), preventing arbitrary shell command execution. - [DATA_EXFILTRATION]: Network activity is confined to legitimate vendor-owned domains for processing image requests.
- Evidence: The skill connects to
model-api.runcomfy.netand*.runcomfy.comto send prompts and retrieve generated images. - [CREDENTIALS_UNSAFE]: The skill implements standard, secure patterns for handling API authentication.
- Evidence: Instructions recommend using
RUNCOMFY_TOKENenvironment variables or the CLI's internalloginmechanism rather than hardcoding credentials. - [PROMPT_INJECTION]: The skill includes explicit security documentation regarding the handling of untrusted data from external images.
- Evidence: The 'Security & Privacy' section identifies image URLs as untrusted and notes that the CLI avoids shell-expansion of input strings to mitigate injection risks.
Audit Metadata