video-edit
Pass
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [SAFE]: The skill is developed by 'runcomfy-com' and interacts with its own official services, domains, and tools. No malicious behavior, obfuscation, or unauthorized data exfiltration was detected.
- [COMMAND_EXECUTION]: The skill instructs the agent to interact with the system using the
runcomfyCLI for authentication and model invocation. The skill uses JSON-formatted input strings to minimize the risk of shell injection from user-provided prompts. - [PROMPT_INJECTION]: The skill contains an indirect prompt injection attack surface as it processes external media content via URLs.
- Ingestion points: The skill ingests user-provided media links through fields like
video,image, andvideo_urlin the model schemas. - Boundary markers: Media inputs are delimited within JSON objects before being passed to the CLI.
- Capability inventory: The
runcomfyCLI (referenced in the SKILL.md) has the capability to perform network operations to communicate with model APIs and write generated media files to a user-specified local directory. - Sanitization: The skill explicitly warns users that external URLs should be treated as untrusted and notes that image-based prompt injection is a known risk for video-edit models. The CLI also implements a 2 GiB download cap to prevent disk-exhaustion attacks.
Audit Metadata