Back to skill

Security audit

๐ŸŽฌ AI Video Generation โ€” Pro Pack on RunComfy

Security checks across malware telemetry and agentic risk

Overview

This appears to be a RunComfy video-generation skill whose external CLI and credential use fit its stated purpose.

Install only if you are comfortable using RunComfy for video generation: your prompts and any media URLs used for a job may be sent to RunComfy, and the skill needs a RunComfy token or local login. Review the CLI install source, keep the token out of logs and repositories, and confirm ambiguous video requests before running the tool.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger text is overly broad and includes generic phrases such as "generate video," "make a video," "animate," and especially a catch-all condition for any explicit ask to produce a video clip. This can cause the skill to activate in contexts where the user did not specifically intend to invoke RunComfy, increasing the chance of unintended external CLI execution, use of API credentials, and processing of user-supplied URLs or prompts.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.