Back to skill

Security audit

๐ŸŽผ ACE Step โ€” Pro Pack on RunComfy

Security checks across malware telemetry and agentic risk

Overview

This is a coherent RunComfy music-generation skill, with the main caution that it uses a paid external service and a RunComfy token.

Install this only if you trust RunComfy and the @runcomfy/cli package. Review model duration and endpoint choices because runs may consume credits, and avoid submitting confidential lyrics, unreleased audio, or private client material unless RunComfy processing is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list includes broad generic phrases such as "cheap AI music," "open music model," and especially "any explicit ask to generate or edit music with ACE Step," which can cause this skill to activate for loosely related or ambiguous music requests. Over-broad activation increases the chance that the agent routes users into this skill unexpectedly, leading to unintended command execution paths, unnecessary external API use, and possible exposure of user-provided media or prompts to RunComfy when a more appropriate tool should have been selected.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.