Back to skill

Security audit

ComfyUI Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward ComfyUI helper, with disclosed local setup and no evidence of hidden persistence, data theft, or destructive behavior.

Install only if you intend to connect OpenClaw to a ComfyUI server you trust. Keep the base URL pointed at localhost or infrastructure you control, avoid uploading sensitive images to untrusted endpoints, and review any separate workflow or monitoring files before adding them to ComfyUI.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation instructs users to copy workflow files into a live ComfyUI input directory and describes ongoing file monitoring/archiving, but it provides no warning that these actions modify local application state and may process files automatically. In an agent skill context, undocumented filesystem modification and monitoring behavior can surprise users, expand the skill's effective privileges, and increase the chance of unsafe overwrites, unintended processing, or data exposure through monitored output directories.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.