ClawHub
Back to skill

Security audit

๐Ÿ‘„ Lipsync โ€” Pro Pack on RunComfy

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed RunComfy lip-sync workflow that uses an external CLI and user-provided media to generate synthetic video, with consent risks clearly called out.

Install only if you trust RunComfy and the `@runcomfy/cli` package. Use media and voices you have permission to process, keep the RunComfy token private, and be especially cautious with real people, public figures, defamatory uses, or sexual synthetic media.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list includes broad natural-language phrases like 'make this video speak' and 'dub video' that can plausibly appear in ordinary conversation, increasing the chance the skill is invoked when the user did not explicitly request this high-risk media-manipulation capability. For a dual-use deepfake-adjacent skill, unintended activation is more dangerous than usual because it can route user assets into a third-party generation service and produce synthetic media without a clear, deliberate opt-in.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.