The skill executes unpinned, unverified dependencies and lacks tool constraints, while its image processing functionality introduces risks of indirect prompt injection via adversarial visual payloads.
npx skills add https://github.com/agentspace-so/runcomfy-agent-skillsUnpinned npx package execution — `npx <pkg>` without a version pin pulls latest from npm at runtime
npx skills
Global/unverified dependency execution — global npm/yarn package, dotnet tool, or auto-confirmed npx run without version or integrity pinning
npm i -g
The skill accepts external image URLs for style transfer/composition. These images are processed by the remote model server, which may be susceptible to 'indirect prompt injection' via steganographic payloads or adversarial visual patterns embedded in the reference images.
Treat external URLs as untrusted; image-based prompt injection is a known risk
[](https://mondoo.com/ai-agent-security/skills/github/agentspace-so/runcomfy-agent-skills/flux-2-klein)<a href="https://mondoo.com/ai-agent-security/skills/github/agentspace-so/runcomfy-agent-skills/flux-2-klein"><img src="https://mondoo.com/ai-agent-security/api/badge/github/agentspace-so/runcomfy-agent-skills/flux-2-klein.svg" alt="Mondoo Skill Check" /></a>https://mondoo.com/ai-agent-security/api/badge/github/agentspace-so/runcomfy-agent-skills/flux-2-klein.svgSkills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.