Skills
skills/runcomfy-com/skills/image-to-video/Gen Agent Trust Hub

image-to-video

Pass

Audited by Gen Agent Trust Hub on May 18, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses the runcomfy CLI to execute various image-to-video models. This is the core functionality of the skill and is performed through a documented command-line interface.
  • [EXTERNAL_DOWNLOADS]: The skill requires the installation of the @runcomfy/cli package from the npm registry and references a GitHub repository (agentspace-so/runcomfy-skills) for skill management. These are standard external resources for the vendor's ecosystem.
  • [PROMPT_INJECTION]: The skill processes user-provided inputs such as image_url, audio_url, and prompt strings.
  • Ingestion points: User-supplied URLs and text prompts defined in the Invoke sections of SKILL.md.
  • Boundary markers: Data is passed to the CLI using a JSON-formatted string within the --input flag, which serves as a delimiter.
  • Capability inventory: The skill executes the runcomfy command to interact with remote APIs and downloads resulting media files.
  • Sanitization: The documentation explicitly states that the CLI does not shell-expand the prompt, mitigating traditional command injection while acknowledging the inherent risk of model-level prompt injection from external content.
Audit Metadata
Risk Level
SAFE
Analyzed
May 18, 2026, 02:03 PM