Back to skill

Security audit

OpenClaw ComfyUI

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims for ComfyUI, but a hostile or compromised ComfyUI server could influence where downloaded files are written locally.

Review or patch the downloader before installing, especially if connecting to a remote or shared ComfyUI host. Use only trusted ComfyUI endpoints, avoid sensitive input media unless transfer is intended, pin dependencies where practical, and add filename sanitization plus a polling timeout.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly advertises automatic upload of input images to a remote ComfyUI host and automatic download of generated outputs, but it does not warn users about the privacy, confidentiality, and network-transfer implications of that behavior. In an agent skill context, this is more dangerous because users may invoke the skill on sensitive local files without realizing the skill will transmit them to another system and persist outputs locally.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.