Security audit

🎞️ Video Inpainting — Pro Pack on RunComfy

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed RunComfy video-editing helper that uses a third-party CLI and cloud processing, with no hidden scripts or destructive behavior found.

Install only the official RunComfy CLI if you trust RunComfy, keep RUNCOMFY_TOKEN private, and submit only videos you are comfortable sending to RunComfy cloud processing. For vague requests like clean up video, confirm the exact region, source URL, and desired edit before running the workflow.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger list includes broad, natural-language phrases such as "clean up video," "remove from video," and "frame-by-frame edit," which can match ordinary user requests that do not clearly intend to invoke this specific skill. That creates an overbroad activation surface where the agent may route users into a third-party video-editing workflow unexpectedly, causing unintended data handling, privacy exposure, or incorrect tool execution.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.