The skill executes unpinned, unverified remote packages and performs unrestricted system operations while exposing users to potential adversarial prompt injection through external image processing.
npx skills add https://github.com/agentspace-so/runcomfy-agent-skillsUnpinned npx package execution — `npx <pkg>` without a version pin pulls latest from npm at runtime
npx skills
Global/unverified dependency execution — global npm/yarn package, dotnet tool, or auto-confirmed npx run without version or integrity pinning
npm i -g
The skill encourages users to provide external image URLs which are processed by remote model servers. If the model server is susceptible to adversarial image-based prompt injection, the user's intent could be hijacked.
Treat external URLs as untrusted; image-based prompt injection is a known risk for any image-edit / video-edit model.
[](https://mondoo.com/ai-agent-security/skills/github/agentspace-so/runcomfy-agent-skills/image-to-video)<a href="https://mondoo.com/ai-agent-security/skills/github/agentspace-so/runcomfy-agent-skills/image-to-video"><img src="https://mondoo.com/ai-agent-security/api/badge/github/agentspace-so/runcomfy-agent-skills/image-to-video.svg" alt="Mondoo Skill Check" /></a>https://mondoo.com/ai-agent-security/api/badge/github/agentspace-so/runcomfy-agent-skills/image-to-video.svgSkills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.