relight
Pass
Audited by Gen Agent Trust Hub on Jul 13, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill installs the
@runcomfy/clipackage from the official npm registry. This is a legitimate dependency required for the skill's core functionality and originates from the service provider's verified namespace. - [COMMAND_EXECUTION]: Shell command execution is strictly limited to the
runcomfyCLI tool through theallowed-toolsfrontmatter configuration. This implementation of least privilege prevents the agent from executing unauthorized system commands. - [DATA_EXFILTRATION]: The skill documentation provides clear guidance on secure credential management, detailing the storage of API tokens with restricted file permissions (
0600) and the use of environment variables in automated environments. - [PROMPT_INJECTION]: The skill uses structured JSON boundaries (via the
--inputflag) when passing user-provided content to the CLI, effectively preventing shell injection. Additionally, the documentation explicitly identifies potential risks from third-party image metadata and provides guidance on safe handling of external assets.
Audit Metadata