Skills
skills/runcomfy-com/skills/codex-pet/Gen Agent Trust Hub

codex-pet

Pass

Audited by Gen Agent Trust Hub on May 18, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to execute local commands including runcomfy and magick (ImageMagick) to perform image transformations and assemble spritesheet atlases. These operations are consistent with the skill's stated purpose.
  • [EXTERNAL_DOWNLOADS]: The pipeline fetches source images from external, user-provided URLs to serve as the visual basis for the generated mascot.
  • [PROMPT_INJECTION]: The skill exposes an indirect prompt injection surface where the source image provided by the user is processed by an image generation model (GPT Image 2). Malicious instructions could theoretically be embedded within the image data.
  • Ingestion points: The SOURCE_URL variable in the generation script within SKILL.md captures external data.
  • Boundary markers: Input is passed to the CLI as a string; no explicit sanitization is performed on the image content itself.
  • Capability inventory: The skill has the ability to write to the local filesystem (mkdir, cp, cat) and execute image processing commands.
  • Sanitization: No local sanitization is performed on the image; the skill relies on the safety guardrails of the remote RunComfy/OpenAI API.
Audit Metadata
Risk Level
SAFE
Analyzed
May 18, 2026, 01:54 PM