video-edit

Pass

Audited by Gen Agent Trust Hub on Jul 13, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill invokes the runcomfy CLI tool to perform video processing tasks.
  • [EXTERNAL_DOWNLOADS]: Installs the @runcomfy/cli package from the NPM registry and downloads processed video assets from official domains.
  • [CREDENTIALS_UNSAFE]: References API token storage in ~/.config/runcomfy/token.json and usage of environment variables, while correctly recommending secure file permissions (0600) for the local configuration.
  • [PROMPT_INJECTION]: The skill ingests untrusted user data via prompts and external URLs. • Ingestion points: User-provided prompts and URLs (SKILL.md). • Boundary markers: Prompts are passed as JSON values to the CLI to avoid shell expansion. • Capability inventory: Executes shell commands via runcomfy and retrieves network assets. • Sanitization: CLI handles transmission over HTTPS directly to the API, and the documentation includes explicit warnings regarding risks associated with external media content.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 13, 2026, 07:38 AM
Security Audit — agent-trust-hub — video-edit