video-edit
Pass
Audited by Gen Agent Trust Hub on Jul 13, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes the
runcomfyCLI tool to perform video processing tasks. - [EXTERNAL_DOWNLOADS]: Installs the
@runcomfy/clipackage from the NPM registry and downloads processed video assets from official domains. - [CREDENTIALS_UNSAFE]: References API token storage in
~/.config/runcomfy/token.jsonand usage of environment variables, while correctly recommending secure file permissions (0600) for the local configuration. - [PROMPT_INJECTION]: The skill ingests untrusted user data via prompts and external URLs. • Ingestion points: User-provided prompts and URLs (SKILL.md). • Boundary markers: Prompts are passed as JSON values to the CLI to avoid shell expansion. • Capability inventory: Executes shell commands via
runcomfyand retrieves network assets. • Sanitization: CLI handles transmission over HTTPS directly to the API, and the documentation includes explicit warnings regarding risks associated with external media content.
Audit Metadata