ai-video-generation

Pass

Audited by Gen Agent Trust Hub on Jul 13, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill utilizes the @runcomfy/cli Node.js package, which is required for its primary functionality. It correctly advises using verified package managers (npm/npx) and explicitly warns against insecure practices like piping remote scripts into a shell.
  • [COMMAND_EXECUTION]: The skill's functionality is scoped to the runcomfy binary via the allowed-tools configuration. It uses a structured JSON input format (--input) to pass user prompts to the CLI, which effectively mitigates the risk of shell command injection.
  • [PROMPT_INJECTION]: The skill documentation acknowledges the surface for indirect prompt injection via untrusted third-party media assets (reference images, audio, or video) and provides appropriate instructions for agents to verify user intent and prioritize explicitly provided prompts over asset-derived instructions.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 13, 2026, 07:38 AM
Security Audit — agent-trust-hub — ai-video-generation