kling-3-0
Pass
Audited by Gen Agent Trust Hub on May 6, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the
@runcomfy/clipackage from the NPM registry as a prerequisite for its operation. - [COMMAND_EXECUTION]: The skill instructs the agent to execute the
runcomfycommand-line tool to generate videos. It passes user-provided inputs, such as prompts and aspect ratios, directly to the CLI as part of a JSON payload. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its handling of untrusted external data.
- Ingestion points: Untrusted data enters the agent context through the
promptandimage_urlfields specified in the input schema withinSKILL.md. - Boundary markers: There are no explicit boundary markers or instructions provided to the model to ignore potential commands embedded within the input data.
- Capability inventory: The skill possesses the capability to execute shell commands via the
runcomfyCLI and write output files to the local file system. - Sanitization: The skill does not perform sanitization or validation of the content within the prompts or the images retrieved from external URLs before passing them to the rendering engine.
Audit Metadata