Back to skill

Security audit

Comfyui Client

Security checks across malware telemetry and agentic risk

Overview

This skill coherently automates ComfyUI image and video generation, with expected local saving and user-directed image uploads.

Install this if you intend to let the agent run ComfyUI workflows. Keep the server URL local or otherwise trusted, avoid uploading sensitive images to remote ComfyUI servers, and clean the output directory when generated media or prompts should not be retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Low
Confidence
78% confidence
Finding
The skill states it will automatically download generated images and videos, which implies local file writes, session directories, and persistence of possibly sensitive prompts/results. If users are not clearly warned, they may unintentionally store confidential or regulated content on disk, especially in shared workspaces or synced directories.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill supports uploading local images to the ComfyUI service but does not prominently warn that user-supplied image data will be transmitted to that service. This matters because the service may be remote or differently administered than expected, and uploaded images can contain sensitive personal, proprietary, or biometric information.

Natural-Language Policy Violations

Low
Confidence
94% confidence
Finding
The workflow includes a hard-coded prompt describing a specific ethnicity ('latina model') without any user opt-in or parameterization. This is not a code-execution issue, but it can cause the skill to generate identity-specific content the user did not request, creating bias, inappropriate personalization, or policy/compliance concerns in an image-generation context.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The workflow contains SaveVideo nodes that automatically write generated video to disk using the prefix "video/ComfyUI", but the skill description does not clearly disclose this persistence behavior. In a client skill that automatically downloads generated media, undisclosed local file creation can lead to unexpected storage of sensitive or private user-generated content, increasing privacy and data-handling risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.