runpod
Pass
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill documentation references multiple Docker images (e.g.,
ghcr.io/conalmullan/video-toolkit-qwen-edit:latest) which are pulled from a personal GitHub Container Registry account to be used as serverless endpoints. - [COMMAND_EXECUTION]: Users are instructed to execute local Python scripts using commands like
python tools/image_edit.py --setup. The logic contained within these tools is external to the provided skill file and is used to provision cloud infrastructure. - [CREDENTIALS_UNSAFE]: The setup instructions advise users to store sensitive information, including
RUNPOD_API_KEYand Cloudflare R2 access keys, in a local.envfile. While a common local development pattern, this poses a risk of accidental credential exposure.
Audit Metadata