elevenlabs-music-generation
Pass
Audited by Gen Agent Trust Hub on Jul 13, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill utilizes the
@runcomfy/clipackage, which is downloaded from the official NPM registry. This is the standard installation path for the service's tools. - [COMMAND_EXECUTION]: The skill invokes the
runcomfycommand-line interface to interact with remote AI models. This execution is limited to the skill's primary purpose of music generation. - [PROMPT_INJECTION]: The skill ingests user-provided text for music generation, creating a surface for indirect prompt injection where instructions could be hidden in lyrics or style briefs.
- Ingestion points: The
promptfield in theruncomfy runcommand (SKILL.md). - Boundary markers: User input is encapsulated within a JSON string literal in the
--inputargument. - Capability inventory: The skill triggers network requests to the RunComfy API and performs local file writes to save generated audio.
- Sanitization: The documentation explicitly states that prompt content is transmitted as a JSON body and is not subjected to shell expansion, mitigating command injection risks.
Audit Metadata