Back to skill

Security audit

ComfyUI执行器

Security checks across malware telemetry and agentic risk

Overview

This ComfyUI skill mostly does what it says, but it can delete local files, clear or interrupt service jobs, and write downloaded files with insufficient path safeguards.

Review commands before use, especially delete, interrupt, free-memory, and clear-history. Use this only with a trusted ComfyUI server, avoid sensitive API keys unless necessary, and constrain workflow names and downloaded output filenames to safe directories before running it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documents capabilities that involve network access, reading local files, and use of environment-provided API keys, but it does not declare corresponding permissions. That creates a transparency and governance gap: operators may approve or invoke the skill without understanding its actual access to local data and remote services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The description emphasizes HTTP interaction with ComfyUI, but the documented behavior also includes local workflow listing, reading, and deletion. This mismatch can mislead users and reviewers about the real trust boundary, especially because local file management introduces additional risk beyond remote API use.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README instructs users how to interrupt running ComfyUI tasks but does not warn that interruption can discard partial results, leave outputs in inconsistent states, or terminate shared jobs on a multi-user service. Because this skill manages a live generation queue over HTTP, normalizing interruption without caution increases the chance of accidental denial-of-service or loss of in-progress work.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README advertises GPU memory release and history cleanup without noting that these actions can remove execution history, disrupt debugging/auditing, or interfere with active sessions if run at the wrong time. In a service-management skill, undocumented destructive maintenance operations can cause avoidable data loss and service instability.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill documents workflow deletion as a routine action without warning, confirmation, or recovery guidance. In an agent setting, that increases the chance of accidental data loss, especially if the agent autonomously manages files based on ambiguous user requests.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
Queue interruption is presented without clearly warning that it stops an in-progress generation task and may waste compute time or lose partial work. In a multi-user or long-running workload context, an agent could disrupt legitimate jobs unexpectedly.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
History clearing commands are destructive and are documented without emphasizing irreversibility or prompting for confirmation. This can remove auditability and troubleshooting data that users may rely on, making incident review or job recovery harder.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The executor downloads filenames supplied by the remote ComfyUI server and writes them directly under the chosen output directory using `output_path / filename` with no sanitization or overwrite protection. If the server is compromised or untrusted, a filename containing path traversal sequences or a colliding name could overwrite arbitrary user-accessible files or place unexpected files on disk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.