ClawHub

image

Security checks across malware telemetry and agentic risk

Overview

This ComfyUI skill is mostly purpose-aligned, but it needs review because its downloader can install and run an unverified helper program and can write downloaded files outside the intended model folder.

Review before installing. Use only trusted workflow JSON and model URLs, prefer --no-pget or install pget yourself through a trusted channel, keep ComfyUI bound to 127.0.0.1, avoid --overwrite with untrusted URLs, and clear temporary workflow files that may contain private prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill exercises sensitive capabilities including file reads, shell execution, and network access, yet the manifest does not declare permissions or warn about those side effects. This creates a transparency and governance gap: an agent may invoke software installation, downloads, or filesystem changes under a skill that appears narrower and less risky than it is.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The stated purpose is running local ComfyUI workflows, but the instructions also permit installing ComfyUI from GitHub, installing an external downloader, and fetching arbitrary model files from user-supplied URLs. That mismatch is dangerous because users and orchestrators may authorize the skill for local inference while unintentionally enabling software installation and arbitrary remote content retrieval.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest frames the skill as a local workflow runner, but the body extends scope to installing ComfyUI and downloading model weights from arbitrary URLs. In context, that broader behavior increases supply-chain and remote content risk because a user asking to 'run a workflow' could trigger repo cloning or untrusted model downloads not obvious from the manifest.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Including software installation and arbitrary model download capability materially broadens the attack surface beyond image generation. Because model files and helper binaries are fetched from external sources and written into execution directories, the skill can introduce persistence, malicious payloads, or unsafe artifacts into the local environment.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The script expands the skill from running local ComfyUI workflows to downloading arbitrary remote model weights and modifying the local ComfyUI installation. That scope expansion increases attack surface by introducing network fetches, file writes, and dependency bootstrapping behavior not implied by the skill's stated purpose.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script downloads an executable from the internet into ~/.local/bin, marks it executable, and later runs it without signature verification, pinned hash validation, or explicit user approval. This creates a supply-chain and remote code execution path: compromise of the release URL, transport assumptions, or repository trust would let an attacker execute arbitrary code on the host.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger condition 'user describes an image to generate' is broad enough to overlap with ordinary conversation, increasing the chance the skill activates unexpectedly. In this skill's context, accidental activation is more dangerous because activation can lead not just to generation but also to workflow execution, file inspection, and potentially network/download side effects.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The instructions tell the agent to download model weights and even install a helper tool without an explicit warning or confirmation flow for network access, filesystem writes, and persistence in ~/.local/bin and ~/ComfyUI/models. That is risky because arbitrary URLs supplied by a user can cause the environment to fetch and retain untrusted binaries or model artifacts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Silently installing an executable into ~/.local/bin changes the user's environment in a persistent way and may alter future command resolution or trust assumptions. Even if intended for convenience, making that change without an explicit warning and consent is unsafe, especially in an agent skill context where users may not expect software installation side effects.

Session Persistence

Medium
Category
Rogue Agent
Content
2. **Identify prompt-related nodes** by inspecting the graph: look for nodes that hold the main text prompt — e.g. `PrimitiveStringMultiline`, `CLIPTextEncode` (positive text), or any node with `_meta.title` or `class_type` suggesting "Prompt" / "positive" / "text". Update the corresponding input (e.g. `inputs.value`, or the text input to the encoder) to the image prompt you derived from the user (subject, style, lighting, quality). If the user didn't ask for a custom image, you can leave the existing prompt or tweak only if needed.
3. **Optionally identify style/prefix nodes** — e.g. `StringConcatenate`, or a second string input that acts as style. Set them if the user asked for a specific style or to clear a default prefix.
4. **Optionally set a new seed** — find sampler-like nodes (e.g. `KSampler`, `BasicGuider`, or any node with a `seed` input) and set `seed` to a new random integer so each run can differ.
5. Write the modified workflow to a temp file (e.g. `skills/comfyui/assets/tmp-workflow.json`). Use `~/ComfyUI/venv/bin/python` for any inline Python; do not use bare `python`.
6. Run: `comfyui_run.py --workflow <path-to-edited-json>`.

If the workflow structure is unclear or you can't find prompt/sampler nodes, run the file as-is and only change what you can reliably identify. Same approach for arbitrary user-supplied JSON: inspect first, edit at your best knowledge, then run.
Confidence
78% confidence
Finding
Write the modified workflow to a temp file (e.g. `skills/comfyui/assets/tmp-workflow.json`). Use `~/ComfyUI/venv/bin/python` for any inline Python; do not use bare `python`. 6. Run: `comfyui_run.py --

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal