ai-video-generation
Pass
Audited by Gen Agent Trust Hub on Jul 13, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill utilizes the
@runcomfy/cliNode.js package, which is required for its primary functionality. It correctly advises using verified package managers (npm/npx) and explicitly warns against insecure practices like piping remote scripts into a shell. - [COMMAND_EXECUTION]: The skill's functionality is scoped to the
runcomfybinary via theallowed-toolsconfiguration. It uses a structured JSON input format (--input) to pass user prompts to the CLI, which effectively mitigates the risk of shell command injection. - [PROMPT_INJECTION]: The skill documentation acknowledges the surface for indirect prompt injection via untrusted third-party media assets (reference images, audio, or video) and provides appropriate instructions for agents to verify user intent and prioritize explicitly provided prompts over asset-derived instructions.
Audit Metadata