ClawHub

ComfyUI

Security checks across malware telemetry and agentic risk

Overview

This ComfyUI skill is mostly purpose-aligned, but it needs Review because it can install and run a downloaded helper program and persist user-supplied downloads locally.

Install only if you intend this agent to manage a local ComfyUI setup. Prefer running downloads with --no-pget or installing pget yourself from a verified source, use trusted model URLs with hashes when available, avoid --overwrite on untrusted files, and review workflow JSON before running it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The instructions broaden the skill from local workflow execution into environment setup and arbitrary remote downloads. That expansion increases attack surface by enabling untrusted content retrieval and local software changes that are not necessary for the core task of executing an existing local workflow.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Software installation and model-download features are powerful side effects that are not justified by the narrow stated purpose. In practice this can lead to execution of package installers, binary placement in user directories, and retrieval of untrusted model files, all of which raise supply-chain and persistence risks.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script downloads an executable from a moving 'latest' GitHub release URL, writes it to ~/.local/bin, marks it executable, and then runs it. This creates a supply-chain and remote code execution risk: if the release asset, transport, repository, or account is compromised, the host will execute attacker-controlled code.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation conditions are overly broad, including generic image-description requests that may cause the skill to run when the user did not ask to use local ComfyUI. In this context, accidental activation is more dangerous because the skill can read files, write temp files, run shell commands, and potentially install software or download weights.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to download arbitrary URLs and even auto-install a downloader binary without an explicit warning or consent checkpoint. This is dangerous because it can silently create persistent filesystem changes and introduce untrusted external artifacts into executable/model directories.

Vague Triggers

Low
Confidence
98% confidence
Finding
The workflow hardcodes an explicit sexual prompt ("Adult woman, nude...") in a general-purpose image generation skill, with no safety constraints, moderation layer, or exclusion criteria. In the context of an agent-accessible ComfyUI skill, this increases the likelihood of generating disallowed NSFW content and makes misuse easy because the unsafe behavior is bundled as a ready-to-run default asset.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal