Back to skill

Security audit

๐ŸŽญ Face Swap โ€” Pro Pack on RunComfy

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed RunComfy face-swap helper with real dual-use risks, but its requested access and instructions match that purpose and no hidden or destructive behavior is evident.

Install only the official RunComfy CLI, protect your RunComfy token, and use this only with identities and media you have rights to use. Confirm each model run, inputs, output directory, and any disclosure obligations before generating synthetic media.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
96% confidence
Finding
The manifest includes very broad trigger phrases such as 'deepfake', 'swap face', and 'make this video star X', which can cause the skill to activate on a wide range of identity-manipulation requests, including harmful or policy-sensitive ones. In this context, the skill is explicitly designed for face swapping/deepfake generation, so overbroad activation materially increases the chance of unintended routing into a high-risk capability.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.