Back to skill

Security audit

Comfyui-Api

Security checks across malware telemetry and agentic risk

Overview

This ComfyUI image-generation skill is mostly coherent, but it exposes under-disclosed server-control and local-file upload capabilities that users should review before installing.

Review before installing. Use only a ComfyUI server you control or trust, verify the configured URL before generating images, avoid prompts containing sensitive information, and do not use upload on private files. Be aware the skill can inspect server history and queue state and can cancel or interrupt work on the configured server.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is presented as an image-generation client, but it also exposes administrative and data-management operations against the configured ComfyUI server, including queue cancellation, interrupting current tasks, history access, object/model enumeration, and file upload. In an agent setting, this broadens the effective permission scope beyond user-expected image generation and can enable unauthorized interference with server workloads or unintended disclosure of server state and local file contents.

Description-Behavior Mismatch

Low
Confidence
82% confidence
Finding
The help text advertises additional commands such as system stats, queue inspection, history, model listing, upload, cancel, and interrupt that are not reflected in the top-level description. This mismatch increases the chance that users or calling agents invoke higher-risk functionality without understanding that the skill does more than image generation.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The skill says users can 'directly' send a prompt after connection is set, but it does not clearly separate ordinary chat from commands that trigger the skill. That ambiguity can cause accidental invocation and unintended transmission of user text to the configured image-generation server, especially in conversational contexts where the user did not intend to use the skill.

Vague Triggers

High
Confidence
97% confidence
Finding
Automatically setting the connection whenever user input contains a URL is an overly broad trigger that can be exploited or triggered accidentally. A benign message containing a URL could silently repoint the skill to an attacker-controlled server, causing prompts and possibly generated content requests to be sent to an untrusted endpoint.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill describes networked API usage but does not warn that prompts and related data will be sent to the configured server. Users may disclose sensitive prompts, internal URLs, or other data without understanding that this information leaves the local chat context and is transmitted over the network.

Natural-Language Policy Violations

Medium
Confidence
80% confidence
Finding
Automatic translation of Chinese prompts into English without user choice changes user input before transmission and may expose additional interpreted content to the remote server. This can cause privacy, integrity, and safety issues if the translation is inaccurate, expands the prompt unexpectedly, or sends transformed text the user did not intend to share.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The upload operation reads an arbitrary local file path and transmits its contents to the configured remote server without any explicit warning at the point of use about data leaving the local environment. In an agent context, this can lead to accidental exfiltration of sensitive local files if a user or prompt directs the agent to upload a path without understanding the privacy implications.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.