Back to skill
Skillv1.0.1
VirusTotal security
ComfyUI · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 3:27 AM
- Hash
- c4329fc7d60390d2c4c540e6ee3f805b5c774e8c2e1370b4035f8ba2135fa8da
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: comfyui Version: 1.0.1 The skill is classified as suspicious due to the `scripts/download_weights.py` file. This script attempts to download and install the `pget` binary from a remote GitHub release URL (`https://github.com/replicate/pget/releases/latest/download/pget_{sysname}_{machine}`) to `~/.local/bin` if it's not already present, and then executes it. While this functionality is explicitly described in `SKILL.md` and intended for legitimate parallel downloads of model weights, the capability to download and execute a remote binary represents a significant supply chain risk and broad permission, even if the immediate intent is not malicious. The `assets/tmp-workflow.json` also contains a sensitive prompt, though the agent is instructed to edit workflows based on user input, not to exfiltrate this data.
- External report
- View on VirusTotal