ClawHub

image

Security checks across malware telemetry and agentic risk

Overview

This ComfyUI skill mostly matches its stated image-generation purpose, but it can install and run an unverified helper executable and write downloaded files with insufficient containment checks.

Install only if you are comfortable with the skill modifying your ComfyUI directory and making network downloads. Prefer running downloads with --no-pget or installing pget yourself from a verified source, use only trusted model URLs, avoid --overwrite unless you checked the destination path, and review any workflow JSON before execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script downloads an executable from the internet into ~/.local/bin, marks it executable, and then runs it. That creates a supply-chain risk: if the release URL, transport, upstream account, or downloaded asset is compromised, arbitrary code will execute on the host under the user's account.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill can download arbitrary URLs into ComfyUI model directories, which materially expands its capability beyond the stated purpose of running local workflows via HTTP API. In context, this is risky because model downloads can consume large disk space, introduce untrusted artifacts into the local AI environment, and enable persistence of attacker-chosen files within the application's data tree.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The README explicitly describes editing workflow JSON, writing a temporary workflow file, and contacting a local ComfyUI HTTP service, but it does not warn users that the skill will modify local files and interact with a local network-exposed API. In an agent setting, missing disclosure can cause users to authorize actions without understanding that filesystem state and local services may be affected, increasing the chance of unintended execution against sensitive local environments.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger conditions include generic image-generation requests, which can cause this powerful skill to activate in situations where the user did not explicitly request local execution, shell commands, or downloads. Because the skill can inspect files, modify workflows, contact localhost services, and potentially download models, over-broad activation increases the chance of unintended side effects.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instructions direct the agent to clone repositories, create environments, install dependencies, start servers, and later download model weights, but they do not require a clear user-facing warning or explicit confirmation about system and network changes. This can lead to unexpected software installation, persistent services, and large downloads on the user's machine.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal