ClawHub
Back to skill

Security audit

Portrait Generator

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed ComfyDeploy portrait-generation skill, but users should know portrait traits and prompts are sent to that third-party service.

Install this only if you intend to use ComfyDeploy for portrait generation and are comfortable sending prompts, facial traits, run IDs, and output links to that service. Avoid using real private likenesses or sensitive identity details unless authorized, and prefer a limited ComfyDeploy API key if available.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill sends user prompts and highly sensitive inferred or explicit facial attributes such as ethnicity, sex, age, scars, and medical-condition-like features to a third-party ComfyDeploy API, but the description does not warn users about this external transmission. In this context, the omission matters because portrait requests may contain personal data or protected/sensitive attributes, so users and downstream agents may unknowingly disclose data off-platform.

External Transmission

Medium
Category
Data Exfiltration
Content
## Endpoint

```
POST https://api.comfydeploy.com/api/run/deployment/queue
```

## Headers
Confidence
91% confidence
Finding
https://api.comfydeploy.com/

External Transmission

Medium
Category
Data Exfiltration
Content
The queue endpoint returns a `run_id`. Use this to poll status:

```
GET https://api.comfydeploy.com/api/run/{run_id}
```

Poll until `status` is `"success"`, then extract the output image URL from the response.
Confidence
88% confidence
Finding
https://api.comfydeploy.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal