🫧 GPT Image Edit — Pro Pack on RunComfy

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed RunComfy wrapper for GPT Image 2 image editing, with no bundled executable code or hidden behavior found.

Install only if you trust RunComfy and are comfortable sending image URLs and edit prompts to its service. Protect `RUNCOMFY_TOKEN`, avoid private or sensitive images unless the service terms fit your needs, and choose output directories deliberately.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger definition includes the broad phrase "or any explicit ask to edit with this model," which is ambiguous and can cause the skill to activate outside narrowly scoped invocations. In an agent environment, overly broad routing increases the chance this skill is selected for loosely related image-edit requests, potentially sending user-provided image URLs and prompts to the external RunComfy service when a more appropriate or local tool should have been used.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal