runway
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill processes user-supplied prompts and media URLs which are interpolated into API request files. 1. Ingestion points: promptText, promptImage, and videoUri fields in SKILL.md. 2. Boundary markers: Absent. 3. Capability inventory: Command execution (bash -c) and network requests (curl). 4. Sanitization: Absent.
- [Command Execution] (SAFE): The skill uses shell commands (curl) to interact with the Runway API, which is the primary intended behavior for this utility.
- [CREDENTIALS_SAFE] (SAFE): The skill securely manages API keys via the vm0_secrets configuration rather than hardcoding credentials.
Audit Metadata