lipsync
Pass
Audited by Gen Agent Trust Hub on Jul 13, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
runcomfyCLI via a Bash tool to execute lip-sync tasks. This is restricted to theruncomfy *command pattern as specified in theallowed-toolsfrontmatter, which is the intended functionality of the skill. - [EXTERNAL_DOWNLOADS]: The skill mentions installing the
@runcomfy/clivianpmornpx. These are standard, well-known package management practices from the official RunComfy organization. - [INDIRECT_PROMPT_INJECTION]: The skill documents the risk of processing untrusted third-party URLs (video and audio files) and provides specific mitigation strategies for the agent, such as only using user-provided URLs and monitoring for output divergence.
- [CREDENTIALS_UNSAFE]: The skill discusses secure token management, advising the use of
runcomfy login(which stores tokens with restricted permissions) or environment variables, rather than hardcoding secrets.
Audit Metadata