ClawHub

Comfyui Workflow Generator

Security checks across malware telemetry and agentic risk

Overview

This ComfyUI workflow skill is mostly purpose-aligned, but it grants under-disclosed local code-execution and broad file-write authority.

Review before installing. Use only trusted local model and tokenizer directories, avoid HuggingFace models that require custom remote code unless you trust the source, keep catalog and output paths at safe defaults, and do not share debug prompt outputs if they include private workflow instructions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The function treats user-controlled filename input as a partial path, extracts subdirectories from it, and joins them directly under the configured output directory without enforcing that the final resolved path remains inside that directory. Inputs containing traversal segments such as '../' can cause files and created directories to escape the intended output scope, enabling arbitrary file write within the process's permissions.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
This helper not only saves generated workflow JSON but also creates attacker-influenced directories and controls write placement based on path-like input. In a workflow-generation skill, that broad filesystem capability is more dangerous because natural-language-derived or tool-passed names may be attacker-controlled, expanding the impact from simple file saving to unauthorized filesystem modification.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The loader uses AutoTokenizer.from_pretrained(..., trust_remote_code=True), which permits execution of arbitrary Python from a Hugging Face repository. In the fallback path, it may also resolve non-local identifiers over the network, so a user-controlled or misdetected tokenizer_path can cause untrusted code execution during model loading. This is not necessary for a workflow-generation skill and materially expands the attack surface.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The loader passes trust_remote_code=True to AutoModelForCausalLM.from_pretrained, which allows execution of arbitrary Python code shipped by a Hugging Face repository during model load. Because this skill’s purpose is workflow generation rather than executing third-party model code, enabling remote/custom code materially expands the attack surface and can lead to local code execution, data theft, or host compromise if an untrusted or swapped model path is used.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Tokenizer loading also uses trust_remote_code=True in multiple branches, which means malicious custom tokenizer code from a repository or path can execute during initialization. This broadens the same arbitrary-code-execution risk beyond model weights and is especially risky because the fallback logic may retry without local_files_only, increasing chances of unexpected repository resolution or unsafe code paths.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad enough to match ordinary user requests about ComfyUI workflow help, which can cause unintended or automatic invocation of the skill. In an agent setting, overbroad activation can route user prompts into a tool path with file/environment capabilities, increasing the chance of unnecessary data exposure or unsafe workflow generation without clear user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When local loading fails, the code logs a warning and retries without local_files_only while still keeping trust_remote_code=True. That means a local error can silently turn into network access and remote code execution, which is especially dangerous because it happens automatically and without a strong user-facing warning or consent boundary.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
At the point of model loading, the code silently enables execution of custom repository code without any explicit user-facing disclosure or consent. While the primary security issue is the unsafe execution itself, the lack of warning makes exploitation more likely because operators may believe they are only loading weights, not running arbitrary Python.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The tokenizer path also permits custom code execution without clear disclosure to the user, despite tokenizers often being assumed to be passive data assets. This mismatch between expected behavior and actual capability increases the risk of accidental execution of malicious repository code and reduces informed consent for dangerous operations.

Ssd 1

Medium
Confidence
93% confidence
Finding
User-controlled `desc` and `diagram` are interpolated directly into an instruction prompt for the local LLM, so adversarial content inside those fields can override or confuse the model’s task and cause incorrect node substitution decisions. In this skill, that matters because the model’s output is used to modify workflow structure, so prompt injection can degrade integrity of generated workflows and potentially steer selection toward unsafe or unintended nodes.

Unpinned Dependencies

Low
Category
Supply Chain
Content
sentence-transformers>=2.2.1
tinydb>=4.8.2
scikit-learn>=1.3.0
omegaconf>=2.3.0
Confidence
89% confidence
Finding
sentence-transformers>=2.2.1

Unpinned Dependencies

Low
Category
Supply Chain
Content
sentence-transformers>=2.2.1
tinydb>=4.8.2
scikit-learn>=1.3.0
omegaconf>=2.3.0
Confidence
89% confidence
Finding
tinydb>=4.8.2

Unpinned Dependencies

Low
Category
Supply Chain
Content
sentence-transformers>=2.2.1
tinydb>=4.8.2
scikit-learn>=1.3.0
omegaconf>=2.3.0
Confidence
94% confidence
Finding
scikit-learn>=1.3.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
sentence-transformers>=2.2.1
tinydb>=4.8.2
scikit-learn>=1.3.0
omegaconf>=2.3.0
Confidence
88% confidence
Finding
omegaconf>=2.3.0

Known Vulnerable Dependency: scikit-learn — 6 advisory(ies): CVE-2020-13092 (scikit-learn Deserialization of Untrusted Data); CVE-2024-5206 (scikit-learn sensitive data leakage vulnerability); CVE-2020-28975 (scikit-learn Denial of Service) +3 more

Critical
Category
Supply Chain
Confidence
95% confidence
Finding
scikit-learn

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal