The skill lacks defined tool constraints, executes unpinned and unverified dependencies, and processes external media, creating significant risks for arbitrary code execution and indirect prompt injection attacks.
npx skills add https://github.com/agentspace-so/runcomfy-agent-skillsUnpinned npx package execution — `npx <pkg>` without a version pin pulls latest from npm at runtime
npx skills
Global/unverified dependency execution — global npm/yarn package, dotnet tool, or auto-confirmed npx run without version or integrity pinning
npm i -g
The skill accepts external video and image URLs which are processed by remote models; if these models are susceptible to adversarial inputs, they could be used to perform indirect prompt injection against the user's workflow.
The skill documentation acknowledges: 'image-based prompt injection is a known risk for any image-edit / video-edit model.'
[](https://mondoo.com/ai-agent-security/skills/github/agentspace-so/runcomfy-agent-skills/video-edit)<a href="https://mondoo.com/ai-agent-security/skills/github/agentspace-so/runcomfy-agent-skills/video-edit"><img src="https://mondoo.com/ai-agent-security/api/badge/github/agentspace-so/runcomfy-agent-skills/video-edit.svg" alt="Mondoo Skill Check" /></a>https://mondoo.com/ai-agent-security/api/badge/github/agentspace-so/runcomfy-agent-skills/video-edit.svgSkills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.