Security audit

🦴 ControlNet & Pose — Pro Pack on RunComfy

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed RunComfy helper for pose-conditioned image and video generation, with expected use of the RunComfy CLI, account token, external media URLs, and local output files.

Install only the official RunComfy CLI package, keep your RunComfy token private, and expect prompts and any referenced media URLs to be processed by RunComfy and possibly consume account quota or credits.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill advertises very broad natural-language triggers such as "use this pose," "character pose," and any explicit ask to condition generation on a pose, skeleton, motion, depth, or canny reference. In an agent setting, this can cause unintended auto-activation on ordinary user requests, leading the agent to invoke external tooling, process user-supplied URLs, and send content to a third-party service when the user did not clearly intend to use this specific skill.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.