🫧 Image-to-Video — Pro Pack on RunComfy

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed RunComfy image-to-video skill, with the main caution that ambiguous media requests could send user-provided content to a third-party service.

Install this only if you are comfortable using RunComfy for hosted video generation. Confirm the user really wants image-to-video generation before running it, and avoid sending private images, voice clips, videos, or confidential prompts unless RunComfy's data handling is acceptable for that content.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger list is broad enough to activate on common phrases like 'make a video from image' or other generic image/video requests, increasing the chance that the skill runs when a narrower or safer tool should handle the task. In an agent setting, overbroad activation can cause unintended external API calls, unexpected spending, and accidental transmission of user-supplied media URLs or prompts to a third-party service.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The routing guidance says to route here for examples like 'make a video from this' or when a user 'showed an image and asked for video' without specifying exclusion conditions. In a multi-skill agent, this ambiguity can misfire the skill on loosely related requests and send content to RunComfy unnecessarily, creating privacy, cost, and policy-boundary risks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal