Skills
skills/runcomfy-com/skills/wan-2-7/Gen Agent Trust Hub

wan-2-7

Pass

Audited by Gen Agent Trust Hub on May 18, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to invoke the runcomfy CLI tool to perform video generation tasks.
  • Evidence: Examples such as runcomfy run wan-ai/wan-2-7/text-to-video --input '{"prompt": "<user prompt>"}' are provided in SKILL.md.
  • The agent is responsible for constructing these commands, incorporating user-provided prompts and URLs into a JSON input string.
  • [EXTERNAL_DOWNLOADS]: The skill references the installation of the RunComfy CLI from a public registry.
  • Evidence: npm i -g @runcomfy/cli is listed as a prerequisite in SKILL.md.
  • This package is the official tool for the vendor associated with this skill.
  • [INDIRECT_PROMPT_INJECTION]: The skill processes user-provided prompts and media URLs as input for video generation, creating a surface for indirect prompt injection.
  • Ingestion points: User-supplied prompt and audio_url fields within the SKILL.md input schema.
  • Boundary markers: Input is structured as a JSON string within the CLI command: --input '{"prompt": "..."}' to prevent direct shell expansion.
  • Capability inventory: Execution of the runcomfy CLI as described in SKILL.md.
  • Sanitization: The skill documents that the CLI transmits the JSON body directly to the API without shell expansion of the prompt content.
Audit Metadata
Risk Level
SAFE
Analyzed
May 18, 2026, 02:12 PM