Comfy Story Video

Security checks across malware telemetry and agentic risk

Overview

The skill’s media-generation purpose is clear, but its script can turn normal theme/story text into unsafe local shell commands.

Install only if you trust the themes and story text passed to it, and prefer a patched version that replaces os.system with subprocess.run argument lists and sanitizes filename components. Keep ComfyUI bound to localhost and run the skill in a limited local workspace.

SkillSpector

By NVIDIA

Vulnerability Patterns

Behavioral ASTexec() Call, eval() Call, Dynamic Import
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

os.system() or os exec-family call

High

Category: Dangerous Code Execution
Content: # 使用 say 命令生成语音 cmd = f'say -v "Ting-Ting" -o "{temp_aiff}" "{text}"' os.system(cmd) # 转换为 mp3 cmd = f'ffmpeg -i "{temp_aiff}" -codec:a libmp3lame -qscale:a 2 "{output_path}" -y 2>/dev/null'
Confidence: 97% confidence
Finding: os.system(cmd)

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal