creative-visual-production
Pass
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: Automated scanners flagged two instances of piped commands to Python. Investigation of
comfyui_setup.shconfirms these are false positives; the script usescurl ... | python3 -m json.toolto format JSON output for display. No arbitrary remote code is executed. - [CREDENTIALS_UNSAFE]: The skill manages a
COMFY_CLOUD_API_KEY. The shared logic in_common.pyimplements a session handler that explicitly strips sensitive headers, including the API key and Authorization tokens, when a request is redirected to a different host (e.g., from the cloud API to a storage provider like S3). This is a strong security control against credential exfiltration. - [COMMAND_EXECUTION]: The skill utilizes
subprocess.runandsubprocess.Popenin several scripts (pixel_art_video.py,hardware_check.py,auto_fix_deps.py) to interface with system utilities likeffmpegandcomfy-cli. These calls are appropriately parameterized and necessary for the core media processing and environment management tasks of the skill. - [EXTERNAL_DOWNLOADS]: The skill facilitates the download of AI models and dependencies from established platforms such as HuggingFace and CivitAI. It provides instructions for manual and automated model management, which is typical for generative AI workflows. All referenced external domains and repositories are well-known services.
- [PROMPT_INJECTION]: The skill inherently processes untrusted external data (articles for illustration, images for pixel conversion, etc.). While this presents an indirect prompt injection surface, the instructions include safety checks, such as scanning for and stripping secrets from source content and advising on the use of stylized alternatives for sensitive figures, which mitigates these risks.
Audit Metadata