Back to skill

Security audit

ComfyUI Bridge

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its image-generation purpose, but it also stores queued private images and can later send results through iMessage to a hard-coded default chat, which needs review before install.

Review before installing. Use it only if you are comfortable sending selected images to the configured bridge, storing queued copies under ~/.openclaw/faceswap-queue, and potentially using iMessage for delayed delivery. Do not run the queue daemon until you have checked or changed the hard-coded default chat target, confirmed recipient behavior, and decided how queued private images should be cleaned up.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
shell_cmd += " --text " + subprocess.list2cmdline([text])
        if image_path and Path(image_path).exists():
            shell_cmd += " --file " + subprocess.list2cmdline([str(image_path)])
        r2 = subprocess.run(shell_cmd, shell=True, capture_output=True, text=True, timeout=30, env=send_env)
        if r2.returncode == 0:
            log(f"Delivered to chat {chat_id} (shell fallback)")
            return True
Confidence
98% confidence
Finding
r2 = subprocess.run(shell_cmd, shell=True, capture_output=True, text=True, timeout=30, env=send_env)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
proc_env["PATH"] = extra_path + ":" + proc_env.get("PATH", "/usr/bin:/bin")

    try:
        result = subprocess.run(
            cmd,
            capture_output=True, text=True, timeout=600,
            env=proc_env
Confidence
95% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, timeout=600, env=proc_env )

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documentation clearly indicates capabilities to read environment variables, read/write local files, make network requests, and invoke shell commands, yet no permissions are declared. That creates a transparency and policy-enforcement gap: operators and users cannot accurately assess or constrain what the skill can access, and the hidden capability mix is powerful enough to touch local media, external services, and host state.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior materially exceeds the stated LAN-local image generation purpose by introducing offline queuing, background processing, iMessage delivery, vision QA through Ollama, and even a Discord CDN fallback. These extra channels and background actions expand the data-flow surface for user images and outputs, making unintended transmission, retention, and privacy exposure much more likely than a user would infer from the description.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
A skill presented as LAN-only and self-hosted also documents storing requests locally and later delivering results via iMessage, which contradicts the implied trust boundary. That means sensitive user images or manipulated face content may persist on disk and then be transmitted through a separate messaging channel, increasing privacy, consent, and data-retention risk.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Faceswap outputs are silently transmitted to a separate local Ollama HTTP service for QA, which exceeds the user's stated expectation of interacting only with the ComfyUI bridge. Even though the service is local, this expands the data exposure surface for sensitive facial imagery and creates an undeclared secondary processing path.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
When the bridge is offline, the script persists request arguments and copies user-supplied images into a queue directory under the home folder without explicit consent or retention controls. This broadens the skill from transient processing into local data retention, which is especially sensitive for faceswap and personal photo workflows.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
If direct bridge download fails, the script fetches the result image from a Discord CDN, contradicting the description that processing occurs through a self-hosted LAN ComfyUI instance. This can leak generated content and metadata to an external third-party service outside the user's local network trust boundary.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The code extends beyond LAN image processing and sends outputs via iMessage, an external messaging capability not justified by the skill's stated scope. That mismatch increases risk because generated media and metadata can be exfiltrated to chats without clear user expectation or least-privilege boundaries.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
This module can access Apple Messages context via a local `imsg` CLI and send arbitrary text/files to chat IDs, which is a powerful capability unrelated to basic ComfyUI image generation. In the context of a queue processor handling untrusted request data, this creates a meaningful exfiltration and abuse channel.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documentation presents the module as a queue processor for a bridge, but it also performs outbound message delivery. That hidden capability makes security review and user trust worse because it obscures data flows and increases the chance that sensitive outputs are transmitted unexpectedly.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly enables face-swapping and expression editing of real people without any warning about consent, privacy, impersonation, or misuse. In this context, the omission is security-relevant because the tool is designed to manipulate identity-bearing images, which raises abuse risk for deception, harassment, and non-consensual image alteration.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The queueing logic copies source and input images into persistent local storage without an explicit warning or consent flow. For personal photos and biometric face images, silent retention meaningfully increases privacy risk if the machine is shared, backed up, or later compromised.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The QA feature sends generated face images to another HTTP service without explicit notice, which is a material privacy-relevant behavior change for a biometric workflow. Users may reasonably expect the image to stay within the bridge path, not be forwarded for secondary automated inspection.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.