video-inpainting

Pass

Audited by Gen Agent Trust Hub on May 18, 2026

Risk Level: SAFE
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructs the user to install the @runcomfy/cli package via NPM. This is an official package from the skill's author (runcomfy-com).
  • [COMMAND_EXECUTION]: The skill utilizes the Bash tool, which is strictly limited to the runcomfy CLI in the YAML frontmatter (allowed-tools: Bash(runcomfy *)). This implementation of the principle of least privilege reduces the attack surface for command injection.
  • [INDIRECT_PROMPT_INJECTION]: The skill processes external data in the form of video URLs and user-provided prompts. The documentation acknowledges this risk and advises agents to only process content explicitly provided by the user and to use JSON-formatted inputs to prevent shell injection.
Audit Metadata
Risk Level
SAFE
Analyzed
May 18, 2026, 02:05 PM
Security Audit — agent-trust-hub — video-inpainting