🫧 Codex Pet — Pro Pack on RunComfy

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed RunComfy-based Codex pet generator whose network use, credential need, local file writes, and generated artifacts fit its stated purpose.

Install only if you are comfortable using RunComfy and storing or providing a RunComfy token. Use non-sensitive, shareable source image URLs, because the image is processed by RunComfy's remote service. Review the generated pet name/path before running the install step so files are written only under your intended Codex pets directory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger text includes a catch-all activation condition ('any explicit ask to build a custom pet for OpenAI Codex'), which broadens invocation beyond tightly scoped phrases. Overly broad triggers can cause the skill to activate in unintended contexts, increasing the chance of unreviewed third-party API use, file writes under the user's Codex directory, and accidental handling of user content.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The prerequisites and workflow ask for a source image URL but do not present a clear upfront warning that the image will be sent to RunComfy/OpenAI-hosted third-party infrastructure for processing. This can lead users to unknowingly transmit private or sensitive images off-device, creating privacy and consent risks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal