flux-2-klein
Pass
Audited by Gen Agent Trust Hub on Jul 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill facilitates the execution of the
runcomfyCLI to generate images using Black Forest Labs' Flux 2 Klein models. This is the core intended functionality and operates within the context of the RunComfy service. - [EXTERNAL_DOWNLOADS]: The skill references the installation of the
@runcomfy/clipackage from the public npm registry and usesnpxto fetch the skill configuration from theagentspace-soGitHub repository. These are standard dependency resolutions for the service. - [CREDENTIALS_UNSAFE]: The skill documents the use of
~/.config/runcomfy/token.jsonand theRUNCOMFY_TOKENenvironment variable for managing API authentication. This follows established security patterns for CLI tools and does not involve hardcoded secrets. - [PROMPT_INJECTION]: The skill identifies a potential injection surface where user prompts are interpolated into a shell command. It provides explicit guidance on mitigating this by passing the input as a JSON string to the CLI, which is documented to handle the input without shell expansion.
Audit Metadata