Back to skill

Security audit

ComfyUI Client

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed ComfyUI image/video client that sends prompts and selected images to a configured ComfyUI server and saves generated outputs.

Install this only if you want an agent to run ComfyUI workflows. Prefer a local ComfyUI server; if you configure a remote server, your prompts, workflow data, and any uploaded images may be sent to and retained by that server. Review or clean the output folders if generated content is sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Context-Inappropriate Capability

Low
Confidence
91% confidence
Finding
The script loads the parent project's .env file and uses COMFYUI_SERVER_URL from it, which extends the skill's trust boundary beyond its declared image/video generation purpose. In an agent setting, this can unintentionally consume environment-derived configuration from the host project and route requests to attacker-controlled or unintended endpoints.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The workflow contains a SaveImage node that writes generated output to disk with the prefix 'z-image', but the file itself shows no disclosure, consent step, or retention guidance. In an agent skill that automatically submits jobs and downloads outputs, silent persistence can create privacy and data-handling risks, especially if prompts or generated media contain sensitive or regulated content.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.