The skill lacks defined tool constraints, executes unpinned dependencies, and processes external image URLs, creating significant risks of remote code execution and indirect prompt injection.
npx skills add https://github.com/agentspace-so/runcomfy-agent-skillsSkill name or description references a well-known AI brand, which may suggest impersonation.
openai
Unpinned npx package execution — `npx <pkg>` without a version pin pulls latest from npm at runtime
npx skills
Global/unverified dependency execution — global npm/yarn package, dotnet tool, or auto-confirmed npx run without version or integrity pinning
npm i -g
The skill accepts external image URLs which are processed by remote models; if these models are multimodal, they may be susceptible to indirect prompt injection where the image content influences the agent's subsequent reasoning or actions.
image_urls: array yes — 1–20 publicly-fetchable HTTPS URLs.
[](https://mondoo.com/ai-agent-security/skills/github/agentspace-so/runcomfy-agent-skills/image-edit)<a href="https://mondoo.com/ai-agent-security/skills/github/agentspace-so/runcomfy-agent-skills/image-edit"><img src="https://mondoo.com/ai-agent-security/api/badge/github/agentspace-so/runcomfy-agent-skills/image-edit.svg" alt="Mondoo Skill Check" /></a>https://mondoo.com/ai-agent-security/api/badge/github/agentspace-so/runcomfy-agent-skills/image-edit.svgSkills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.