video-extend

Pass

Audited by Gen Agent Trust Hub on Jul 13, 2026

Risk Level: SAFE
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill recommends installing the @runcomfy/cli package. This is a verified vendor resource from the RunComfy ecosystem, used to interact with the platform's video generation services via API.
  • [COMMAND_EXECUTION]: Shell usage is restricted to the runcomfy CLI through the allowed-tools configuration, limiting the agent's execution scope to a specific, legitimate tool.
  • [PROMPT_INJECTION]: The skill identifies a potential surface for indirect prompt injection when processing third-party video content and provides clear mitigation guidance for agents.
  • Ingestion points: The video_url parameter in the runcomfy run command which fetches external media.
  • Boundary markers: Input is structured as a JSON string, which helps separate data from command logic, though specific internal prompt delimiters are not used.
  • Capability inventory: The runcomfy CLI performs authenticated API calls to vendor endpoints and writes output files to the local filesystem.
  • Sanitization: The skill documentation notes that the CLI does not perform shell expansion on the prompt or URL content.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 13, 2026, 07:38 AM
Security Audit — agent-trust-hub — video-extend