Security audit

🧰 RunComfy CLI — Pro Pack on RunComfy

Security checks across malware telemetry and agentic risk

Overview

This is a coherent RunComfy CLI guide whose credential use, external CLI installation, network calls, and downloads are disclosed and fit the stated purpose.

Install this only if you intend to use RunComfy from the command line. Verify the official CLI package before installing, protect and rotate your RunComfy token as needed, and choose output directories carefully because model results may be downloaded locally.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger text is overly broad because it activates not only on explicit RunComfy CLI commands, but also on 'any explicit ask to call a RunComfy model from script or terminal.' That can cause the skill to engage in many loosely related contexts, increasing the chance it handles requests outside its narrow intended scope and encourages execution of external CLI/network actions when another safer or more appropriate skill should respond.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.