video-inpainting
Pass
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user to install the
@runcomfy/clipackage via NPM. This is an official package from the skill's author (runcomfy-com). - [COMMAND_EXECUTION]: The skill utilizes the
Bashtool, which is strictly limited to theruncomfyCLI in the YAML frontmatter (allowed-tools: Bash(runcomfy *)). This implementation of the principle of least privilege reduces the attack surface for command injection. - [INDIRECT_PROMPT_INJECTION]: The skill processes external data in the form of video URLs and user-provided prompts. The documentation acknowledges this risk and advises agents to only process content explicitly provided by the user and to use JSON-formatted inputs to prevent shell injection.
Audit Metadata