Skills
skills/agentspace-so/runcomfy-agent-skills/ai-music/Gen Agent Trust Hub

ai-music

Pass

Audited by Gen Agent Trust Hub on May 18, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill provides instructions for installing the @runcomfy/cli package from the NPM registry. This package is the official tool for the service described in the skill.
  • [COMMAND_EXECUTION]: The skill is configured to use the runcomfy CLI for music generation and editing. The execution scope is restricted to this specific tool via the allowed-tools frontmatter.
  • [PROMPT_INJECTION]: The skill possesses an attack surface for indirect prompt injection as it processes untrusted data from external sources and user inputs.
  • Ingestion points: User-provided prompts, tags, lyrics, and external audio URLs entered via CLI arguments (SKILL.md).
  • Boundary markers: The skill uses structured JSON to pass input data to the CLI, which helps isolate user-provided text from the shell command.
  • Capability inventory: File system and subprocess access are restricted to the runcomfy command as declared in the skill's manifest (SKILL.md).
  • Sanitization: The skill does not implement custom sanitization or filtering of prompt content, relying on the underlying platform and CLI tool for data handling.
Audit Metadata
Risk Level
SAFE
Analyzed
May 18, 2026, 10:54 AM
Security Audit — agent-trust-hub — ai-music