ClawHub
Back to skill

Security audit

comfyui-agent-skill-mie

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent ComfyUI client for packaged media-generation workflows, with privacy and dependency caveats users should understand before use.

Install only if you intend to use a local or trusted self-hosted ComfyUI server. Treat uploaded images, prompts, generated media, saved server URLs, and async job records as local/private data handled by that configured server and this tool's results directory. Avoid pointing it at public or untrusted ComfyUI endpoints, and prefer a locked dependency install if you operate in a sensitive environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation directs the agent to use network access, read local files, write configuration, and invoke a CLI, but it does not declare those permissions explicitly. This creates a transparency and policy-enforcement gap: operators may approve the skill assuming minimal privileges while it can still reach local services, inspect files, and persist settings such as server URLs.

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The skill is presented as only running registered workflows on a local or trusted ComfyUI instance, but the documented behavior includes broader capabilities such as importing/analyzing workflow JSON, persisting server endpoints, and installation/doctor utilities. This mismatch is dangerous because users and reviewers may underestimate the operational scope, especially around changing network targets and handling workflow artifacts that could expand attack surface or bypass expected review boundaries.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The registered workflow is described as an image-edit workflow, but it also contains a video-loading node chain (VHS_LoadVideo -> PreviewImage) unrelated to the declared purpose. In an agent setting, extra media-ingestion capability expands the attack surface, can enable unintended file access or processing paths, and undermines assumptions that only registered image-edit behavior is exposed.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document instructs the agent to upload a user's local image to a ComfyUI server for `image_to_image` operations, but it does not require an explicit notice or consent step before transfer. Even though the server is described as local or trusted self-hosted, images may contain sensitive personal or proprietary data, so silent transfer can violate user expectations and privacy requirements.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The `image_to_video` guidance says the workflow uploads an input image and uses it to generate video, but it omits a clear safety/privacy warning that the image leaves the agent context and is transmitted to ComfyUI. This can expose personal photos or confidential visuals if users are not informed that processing involves transfer to another service endpoint.

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Same as pyproject.toml dependencies; use `pip install -e .` from the skill root.
# comfy_api_simplified is vendored under scripts/comfy_api_simplified/ (see VENDORING.md).
requests
websockets
Confidence
95% confidence
Finding
requests

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Same as pyproject.toml dependencies; use `pip install -e .` from the skill root.
# comfy_api_simplified is vendored under scripts/comfy_api_simplified/ (see VENDORING.md).
requests
websockets
Confidence
94% confidence
Finding
websockets

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
90% confidence
Finding
requests

Known Vulnerable Dependency: websockets — 4 advisory(ies): CVE-2018-1000518 (websockets is vulnerable to denial of service by memory exhaustion); CVE-2021-33880 (Observable Timing Discrepancy in aaugustin websockets library); CVE-2018-1000518 (aaugustin websockets version 4 contains a CWE-409: Improper Handling of Highly C) +1 more

High
Category
Supply Chain
Confidence
88% confidence
Finding
websockets

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal