image-outpainting
Pass
Audited by Gen Agent Trust Hub on Jul 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill documents the installation of the
@runcomfy/clipackage from the official NPM registry. This is a standard dependency for the skill's functionality and originates from the service provider's namespace. - [COMMAND_EXECUTION]: The skill uses the
runcomfyCLI to process image outpainting requests. Commands are constructed using JSON input to prevent shell injection, and operations are limited to the permitted tool scope. - [PROMPT_INJECTION]: The skill acknowledges and provides mitigations for potential indirect prompt injection from processing third-party image URLs.
- Ingestion points: External image data is ingested via URLs in the
--inputJSON parameter (SKILL.md). - Boundary markers: The skill uses structured JSON to separate model instructions from data URLs.
- Capability inventory: The skill uses the
runcomfyCLI tool for remote image processing. - Sanitization: Documentation instructs the agent to only ingest user-provided URLs and provides guidance on detecting output divergence.
Audit Metadata