Security audit

🎨 AI Image Generation — Pro Pack on RunComfy

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed RunComfy image-generation helper that uses the user's RunComfy CLI/account to create or edit images.

Install only if you trust RunComfy and the `@runcomfy/cli` package. Review prompts, input image URLs, output directory, and any web-search option before running jobs, and avoid sending sensitive images or text unless you are comfortable with RunComfy processing them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger list is broad enough to match common conversational phrases like "generate image" or "make a picture," which can cause the skill to activate when the user did not explicitly intend to use RunComfy. Because this skill can invoke a local CLI that uses stored credentials and performs networked actions, accidental activation can lead to unintended external requests, cost-incurring jobs, or processing of user-provided content without a sufficiently explicit confirmation boundary.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.