Back to skill

Security audit

JMCAI Comfypet

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its JMCAI workflow purpose, but remote bridge mode can automatically transfer local media or document files and fetch arbitrary absolute output URLs without enough user control.

Install only if you intend to use JMCAI Comfypet and understand that remote bridge mode can copy local workflow input files to another machine. Keep bridge_url on localhost for sensitive work, use only trusted remote bridge endpoints, avoid passing confidential media or documents, and treat downloaded outputs as untrusted files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill intentionally supports absolute local file paths for workflow asset fields and, when the bridge is non-loopback, base64-uploads those files to the configured bridge. Although extensions are restricted, this still creates a local file exfiltration primitive to any remote bridge URL in config, which is broader than the stated desktop-app/loopback usage and could expose sensitive local media or documents if an agent is induced to reference them.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
build_bridge_url permits absolute http(s) download_path values, and localize_output_asset fetches them and writes the response to a local temp directory. This allows a bridge response to cause arbitrary outbound requests and local file writes, effectively expanding behavior from bridge-scoped artifact retrieval to arbitrary URL fetching, which can enable SSRF-like access from the client side, tracking, or delivery of untrusted content to disk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that when `bridge_url` points to a remote desktop endpoint, it will automatically upload local assets as `upload:<id>` without requiring an explicit warning or confirmation at the time of transmission. Even with a file-type whitelist, this can cause unintentional exfiltration of sensitive local files if a user or upstream workflow provides a path and the bridge is remote or less trusted.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill enables implicit invocation without any visible trigger constraints, exclusions, or scoping rules. Because this skill can query workflows and submit image/video generation jobs through a desktop bridge, automatic invocation increases the chance that unrelated user requests or crafted prompt context could trigger expensive or privacy-sensitive workflow execution without clear user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation states that when using a remote bridge, local absolute paths will be automatically uploaded, but it does not explicitly warn that files from the user's machine are being transmitted to a remote desktop application/service. In a skill that handles images, masks, audio, video, and generic files, this omission can lead users to unintentionally disclose sensitive local data, especially because the behavior is framed as automatic and convenient.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This section documents automatic upload and argument rewriting to `upload:<id>` for audio, video, file, and mask inputs, but it does not clearly warn that local assets may be transmitted to a remote system. Because these input types often contain highly sensitive content such as voice samples, private videos, documents, or masks derived from proprietary material, the missing disclosure increases the chance of unintended exfiltration.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.