image-outpainting

Pass

Audited by Gen Agent Trust Hub on Jul 13, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill documents the installation of the @runcomfy/cli package from the official NPM registry. This is a standard dependency for the skill's functionality and originates from the service provider's namespace.
  • [COMMAND_EXECUTION]: The skill uses the runcomfy CLI to process image outpainting requests. Commands are constructed using JSON input to prevent shell injection, and operations are limited to the permitted tool scope.
  • [PROMPT_INJECTION]: The skill acknowledges and provides mitigations for potential indirect prompt injection from processing third-party image URLs.
  • Ingestion points: External image data is ingested via URLs in the --input JSON parameter (SKILL.md).
  • Boundary markers: The skill uses structured JSON to separate model instructions from data URLs.
  • Capability inventory: The skill uses the runcomfy CLI tool for remote image processing.
  • Sanitization: Documentation instructs the agent to only ingest user-provided URLs and provides guidance on detecting output divergence.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 13, 2026, 07:38 AM
Security Audit — agent-trust-hub — image-outpainting