🎵 ElevenLabs AI Music Generation — Pro Pack on RunComfy

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is a coherent RunComfy music-generation skill that uses a third-party CLI and account token, with no artifact evidence of hidden or malicious behavior.

Before installing, make sure you trust the RunComfy CLI, use the correct RunComfy account or token, confirm expected generation costs, and avoid putting confidential lyrics or business details in prompts unless you are comfortable sending them to the provider.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI02: Tool Misuse and Exploitation

Low

What this means

Running the skill can submit a music prompt to RunComfy and download generated audio, and long generations may incur costs.

Why it was flagged

The skill delegates work to a local CLI that calls a remote model API. This is central to the skill's purpose and is clearly disclosed.

Skill content

Calls `runcomfy run elevenlabs/elevenlabs/music-generation` through the local RunComfy CLI.

Recommendation

Use it for explicit music-generation tasks and review duration/cost before asking for long tracks.

#ASI03: Identity and Privilege Abuse

Medium

What this means

Anyone using this skill with your token or logged-in config could consume your RunComfy account quota or billing for music generation.

Why it was flagged

The integration requires RunComfy authentication through an environment token and local config. That is expected for the service, but it gives the tool account-level authority to run provider jobs.

Skill content

requires:
    bins:
      - runcomfy
    env:
      - RUNCOMFY_TOKEN
    config:
      - ~/.config/runcomfy

Recommendation

Use the intended RunComfy account, keep tokens private, and prefer scoped or revocable tokens if RunComfy supports them.

#ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

Installing or running the CLI executes third-party package code on the user's machine.

Why it was flagged

The setup examples rely on installing or executing an external npm package. This is expected for the RunComfy CLI workflow, but package provenance and version pinning are outside this artifact.

Skill content

npm i -g @runcomfy/cli                              # global install
npx -y @runcomfy/cli --version                      # zero-install

Recommendation

Install the RunComfy CLI only from trusted sources, consider pinning a known version, and review RunComfy's official installation documentation.

#ASI07: Insecure Inter-Agent Communication

Low

What this means

Lyrics, brand details, or other prompt text may be processed by RunComfy/ElevenLabs.

Why it was flagged

The skill sends user-provided music prompts and lyrics to an external model provider. This is disclosed and purpose-aligned, but it is still an external data flow.

Skill content

ElevenLabs Music on the **RunComfy Model API**, called through the `runcomfy` CLI.

Recommendation

Avoid including confidential or sensitive material unless you are comfortable sharing it with the provider under their terms.