ClawHub

ComfyUI Skill for OpenClaw

Security checks across malware telemetry and agentic risk

Overview

The skill mostly fits its ComfyUI purpose, but it should be reviewed because it can install third-party code, self-update/restart, and force-kill local processes with limited guardrails.

Install only if you are comfortable giving this skill local ComfyUI management authority. Keep the Web UI bound to localhost, do not expose the port to a network, review any custom-node repository before installing dependencies, avoid using it with sensitive ComfyUI credentials unless needed, and back up config/workflow data before imports, deletes, or updates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (19)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
)

        try:
            result = subprocess.run(
                ["git", "clone", repo_url, str(target_dir)],
                capture_output=True,
                text=True,
Confidence
95% confidence
Finding
result = subprocess.run( ["git", "clone", repo_url, str(target_dir)], capture_output=True, text=True, timeout=300,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Install pip requirements if present
            req_file = target_dir / "requirements.txt"
            if req_file.exists():
                subprocess.run(
                    ["pip", "install", "-r", str(req_file)],
                    capture_output=True, text=True, timeout=300,
                )
Confidence
98% confidence
Finding
subprocess.run( ["pip", "install", "-r", str(req_file)], capture_output=True, text=True, timeout=300, )

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The UI exposes update and restart endpoints that perform host-level operational actions unrelated to ordinary workflow execution, and there is no authentication or authorization visible in this file. If the service is reachable by an untrusted user or network peer, an attacker could trigger updates or forced restarts and disrupt availability or alter running code.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The script unconditionally enumerates all processes bound to the configured port and forcefully terminates them before starting the UI. This exceeds the expected scope of a skill launcher because it can kill unrelated host services that happen to use the same port, causing denial of service and potentially data loss if those processes were in the middle of work.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Using `kill -9` on every PID returned by `lsof -ti:$UI_PORT` gives the script host-level process termination capability with no ownership check, no confirmation, and no graceful shutdown attempt. In an agent skill context, this is more dangerous because an automated tool may run it without human review, allowing accidental or adversarial port selection to terminate unrelated local services immediately.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The bundle exposes client-side controls that call `/api/system/check-update`, `/api/system/update`, and `/api/system/restart`, which are administrative self-management actions unrelated to merely running or managing ComfyUI workflows. If this UI is reachable by a lower-privileged user or through an agent-facing surface, it expands the attack surface to include arbitrary service updates and restarts, enabling denial of service or unauthorized code changes.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code implements software update and restart endpoints as ordinary UI actions, which materially exceeds the stated purpose of workflow execution/import/management. In an agent skill context, such capabilities are especially risky because they can let an agent-triggered workflow perform privileged operational changes to the host service, causing outages or pulling unreviewed updates.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README documents destructive commands such as workflow deletion, server removal, and config import/apply without warning that they can irreversibly alter local state, remove registered workflows, or overwrite existing configuration. In an agent-execution context, users or autonomous agents may copy these commands verbatim, increasing the chance of accidental destructive actions on the local environment or connected ComfyUI setup.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README advertises state-changing commands such as workflow delete, config import, dependency installation, and file upload without clearly warning that they can modify local files, install software, or remove configured assets. In an agent-skill context, documentation is often transformed into executable guidance, so missing safety cues increase the chance an agent or user invokes destructive or system-altering operations without explicit confirmation.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The documentation tells users to install requirements and launch a local Web UI or run update scripts, but does not clearly disclose that these actions start a network-accessible service or execute local shell scripts. While common in setup docs, this omission is risky for agent-driven environments because an agent may treat these as routine steps and expose a service or run unreviewed code without informed consent.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger conditions are broad enough that many generic image-related requests could activate the skill automatically, even when the user did not intend shell execution or ComfyUI operations. In agent environments, over-broad routing increases the chance of unintended tool use, unnecessary network calls, and execution of side-effecting commands.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The UI shortcut directs the agent to start a background process and open a browser automatically, but it does not require explicit user consent at the point of action. Automatically spawning services and opening local applications can surprise users, alter system state, and be abused in environments where side effects should be tightly controlled.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The onboarding flow tells the agent to write workflow JSON and generated schema files into local project directories automatically when the user asks to configure or add a workflow. Silent file creation is dangerous in agent settings because it changes local state, may overwrite existing content, and could persist untrusted workflow data without clear user approval.

Missing User Warnings

Medium
Confidence
74% confidence
Finding
The Web UI section encourages executing a local script that automatically creates a virtual environment, installs dependencies, and starts a server, but the warning about these side effects appears only after the command block. In an agent-driven context where shell commands may be executed with limited user review, this increases the risk of unexpected package installation and service exposure on the local machine.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The documentation explicitly encourages agents to add servers, import workflows, check dependencies, and verify setup, but it does not warn that these actions can modify local configuration, connect to remote systems, or change execution targets. In an agent-executed context, this can normalize autonomous configuration changes and increase the chance of unintended system or environment modifications.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The update and restart routes execute safety-critical actions immediately with no confirmation, anti-automation control, or visible guardrails in this file. That makes accidental triggering and low-friction abuse much easier, especially in an agent-facing skill where API actions may be invoked programmatically.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The installer performs repository cloning and package installation without any user-facing warning or confirmation. In this skill's context, where an agent may fulfill natural-language requests by fetching custom nodes and models, silent installation materially increases the chance of unintended remote code execution and supply-chain compromise.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script force-kills any process on the selected UI port without warning or confirmation, so a user or calling agent may trigger destructive behavior merely by launching the UI. Because `OPENCLAW_UI_PORT` is configurable, this can be redirected to ports used by other applications, increasing the risk of unintended denial of service on the host.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script performs state-changing operations (`git checkout -- ui/static/`, `git pull`, and `pip install -r requirements.txt`) immediately and without any confirmation, preview, or rollback protections. This can overwrite local changes and install newly fetched code or dependencies from the repository, which is risky for an agent-invoked skill because updates may be triggered non-interactively and execute code from an unreviewed upstream state.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal