ClawHub

image

Security checks across malware telemetry and agentic risk

Overview

This ComfyUI skill mostly does what it says, but it can download and run unverified tooling and place arbitrary model files into a local ComfyUI install without enough safeguards.

Review carefully before installing. Use it only when you intentionally want your agent to run local ComfyUI, avoid running the bundled tmp workflow as-is, prefer --no-pget or a separately installed trusted pget, and only download model weights from sources you trust with known hashes or checksums.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The bundled default workflow contains a hardcoded prompt for explicit nude-image generation, while the skill description presents the capability as generic ComfyUI workflow execution. This creates a misalignment between advertised behavior and shipped defaults, increasing the chance of unintended sexually explicit output, policy violations, or unsafe invocation by users who did not explicitly request such content.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The script expands the skill's capability from running local ComfyUI workflows to fetching arbitrary remote model files and placing them into the ComfyUI models directory. In this context, that increases the attack surface by allowing untrusted remote content to be introduced into the local environment, which is outside the stated scope of a workflow-running skill.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The script downloads an external executable from the network into ~/.local/bin, marks it executable, and later runs it. That creates a software supply-chain and arbitrary code execution risk if the download source, redirect path, or release artifact is compromised, and it is especially dangerous because this capability is unrelated to merely running local ComfyUI workflows.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The read_when trigger includes general image-generation requests, so this skill may be selected even when the user did not specifically ask to run local ComfyUI or modify a local installation. In context, that increases the chance of surprising shell, file, and network side effects from a broadly matched user prompt.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs downloading model weights from arbitrary user-provided URLs directly into the local ComfyUI models directory, with no integrity verification, origin allowlist, or warning about untrusted models. In this context, model files and related artifacts are part of a risky supply chain and can consume disk, introduce malicious or unexpected content, or prepare later exploitation through downstream tooling.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal