ClawHub

comfyui-running

Security checks across malware telemetry and agentic risk

Overview

This ComfyUI skill appears intended for local image generation, but it can make system-level changes and run broad automation without clear enough user control.

Review before installing. Use this only if you are comfortable with an agent starting ComfyUI, installing Python packages, controlling a local Chrome/Edge debugging tab, clearing pending ComfyUI queue entries, and saving generated outputs. Prefer a virtual environment, pinned dependencies installed explicitly, localhost-only binding, an isolated browser profile, and a manual way to stop the ComfyUI process.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
importlib.import_module(mod_name)
        except ImportError:
            print(f"[INFO] Installing dependency: {pkg}")
            subprocess.check_call([sys.executable, "-m", "pip", "install", pkg, "-q"])


def quick_generate(prompt: str, **kwargs) -> Dict:
Confidence
97% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", pkg, "-q"])

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises substantial capabilities including environment access, filesystem read/write, network access, and shell execution, yet does not declare permissions. This creates a transparency and consent problem: users and hosting platforms may authorize the skill without realizing it can start processes, modify local configuration, and interact with the local system.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose focuses on running ComfyUI workflows, but the described behavior goes much further: auto-detecting installations and ports, writing config files, launching local processes, installing packages, scanning local directories, and controlling a browser via CDP/WebSocket. This mismatch is dangerous because users may grant trust for a narrow workflow tool while the skill effectively has broad local automation and system-manipulation power.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script deletes all proxy-related environment variables at startup, modifying host execution context beyond what is needed to run a local workflow. This can silently bypass enterprise monitoring, egress controls, or user-configured security proxies, which is risky even though the tool primarily targets localhost services.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script exposes generic browser automation primitives for screenshot capture and arbitrary key injection via Chrome DevTools Protocol. In the context of a skill advertised as running ComfyUI workflows, these capabilities are broader than necessary and could be abused to interact with unrelated UI, capture sensitive screen content, or trigger unintended actions in the browser tab.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Auto-installing Python packages is not necessary for a REST automation helper once dependencies should already be declared, and it introduces supply-chain risk at execution time. Because installation occurs silently inside a helper path, users may trigger package installation unexpectedly merely by calling quick_generate().

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The tutorial states the skill uses CDP to control the Edge browser and automate the ComfyUI UI, which expands the operational scope beyond a simple REST-only integration. That matters because browser automation has broader capabilities and attack surface, and users are not clearly told when or how that automation will occur.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The invocation example uses a generic natural-language phrase ('帮我启动ComfyUI并生成一张猫咪图片') that could plausibly occur in normal conversation, making accidental activation more likely. In the context of this skill, activation can lead to launching local software and triggering downstream actions, so the trigger is overly broad for a capability with system-side effects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation states that the AI will automatically read configuration, start ComfyUI, execute a workflow, and download an image, but it does not clearly warn the user that these actions affect the local system and filesystem. Because this skill can launch processes, perform network/API activity, and write files, the lack of explicit warning and consent language increases the risk of unintended execution.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill description does not adequately warn that it can automatically start local software and control a browser interface, including CDP-based automation. In context, this is security-relevant because browser control and local process startup can affect unrelated applications, expose sensitive data in the browser, or perform actions on the user's behalf without sufficiently informed consent.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code installs packages via pip without confirmation, making an external system modification on behalf of the user. Silent installation reduces transparency and can violate least surprise, especially in restricted or production environments where package changes are security-relevant.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The examples use extremely generic phrases like '生成一张猫咪图片' that are indistinguishable from normal conversation about image generation. This can cause unintended skill activation, leading the agent to run local automation and workflows when the user may have only wanted a conversational response or a text prompt.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The usage section repeats broad natural-language triggers and says users can 'just tell AI,' without defining when the skill should not run. In an agent ecosystem, that ambiguity increases the chance of accidental invocation of browser automation, local service access, and file-writing behavior.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The tutorial describes automatic CDP-based browser control and workflow execution but does not present this as a salient warning to the user. Lack of disclosure reduces informed consent and can hide the fact that the skill may manipulate a local browser session and interact with local services automatically.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The tutorial promises that the AI will 'automatically help complete everything' without clearly warning that image outputs will be written to disk. This is a weaker issue than browser control, but it still creates a transparency problem because users may not expect filesystem side effects from a casual prompt.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal