Skills
skills/agentspace-so/runcomfy-skills/gpt-image-2/Gen Agent Trust Hub

gpt-image-2

Pass

Audited by Gen Agent Trust Hub on Apr 30, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill invokes the runcomfy CLI tool to perform image generation and editing tasks, passing user-controlled prompt data to the tool as a structured JSON string.
  • [EXTERNAL_DOWNLOADS]: The documentation instructs the user to install the @runcomfy/cli package from the public npm registry and uses npx to fetch skill configurations from the vendor's repository.
  • [PROMPT_INJECTION]: The skill provides an interface for processing user-supplied prompts and image URLs through a remote model, creating a surface for indirect prompt injection.
  • Ingestion points: User-provided strings and image URLs passed into the --input argument of the runcomfy command in SKILL.md.
  • Boundary markers: Commands utilize JSON to delimit user input from the rest of the execution parameters.
  • Capability inventory: The skill can initiate network requests to the RunComfy Model API and write output files to a specified directory on the local file system.
  • Sanitization: The documentation notes that the CLI tool transmits data over HTTPS and does not perform shell expansion on the prompt contents.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 30, 2026, 09:25 AM