flux-2-klein

Pass

Audited by Gen Agent Trust Hub on Jul 13, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill facilitates the execution of the runcomfy CLI to generate images using Black Forest Labs' Flux 2 Klein models. This is the core intended functionality and operates within the context of the RunComfy service.
  • [EXTERNAL_DOWNLOADS]: The skill references the installation of the @runcomfy/cli package from the public npm registry and uses npx to fetch the skill configuration from the agentspace-so GitHub repository. These are standard dependency resolutions for the service.
  • [CREDENTIALS_UNSAFE]: The skill documents the use of ~/.config/runcomfy/token.json and the RUNCOMFY_TOKEN environment variable for managing API authentication. This follows established security patterns for CLI tools and does not involve hardcoded secrets.
  • [PROMPT_INJECTION]: The skill identifies a potential injection surface where user prompts are interpolated into a shell command. It provides explicit guidance on mitigating this by passing the input as a JSON string to the CLI, which is documented to handle the input without shell expansion.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 13, 2026, 07:37 AM
Security Audit — agent-trust-hub — flux-2-klein