elevenlabs-music-generation

Pass

Audited by Gen Agent Trust Hub on Jul 13, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill utilizes the @runcomfy/cli package, which is downloaded from the official NPM registry. This is the standard installation path for the service's tools.
  • [COMMAND_EXECUTION]: The skill invokes the runcomfy command-line interface to interact with remote AI models. This execution is limited to the skill's primary purpose of music generation.
  • [PROMPT_INJECTION]: The skill ingests user-provided text for music generation, creating a surface for indirect prompt injection where instructions could be hidden in lyrics or style briefs.
  • Ingestion points: The prompt field in the runcomfy run command (SKILL.md).
  • Boundary markers: User input is encapsulated within a JSON string literal in the --input argument.
  • Capability inventory: The skill triggers network requests to the RunComfy API and performs local file writes to save generated audio.
  • Sanitization: The documentation explicitly states that prompt content is transmitted as a JSON body and is not subjected to shell expansion, mitigating command injection risks.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 13, 2026, 07:38 AM
Security Audit — agent-trust-hub — elevenlabs-music-generation