lipsync

Pass

Audited by Gen Agent Trust Hub on Jul 13, 2026

Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses the runcomfy CLI via a Bash tool to execute lip-sync tasks. This is restricted to the runcomfy * command pattern as specified in the allowed-tools frontmatter, which is the intended functionality of the skill.
  • [EXTERNAL_DOWNLOADS]: The skill mentions installing the @runcomfy/cli via npm or npx. These are standard, well-known package management practices from the official RunComfy organization.
  • [INDIRECT_PROMPT_INJECTION]: The skill documents the risk of processing untrusted third-party URLs (video and audio files) and provides specific mitigation strategies for the agent, such as only using user-provided URLs and monitoring for output divergence.
  • [CREDENTIALS_UNSAFE]: The skill discusses secure token management, advising the use of runcomfy login (which stores tokens with restricted permissions) or environment variables, rather than hardcoding secrets.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 13, 2026, 07:37 AM
Security Audit — agent-trust-hub — lipsync