ClawHub

Comfyui

Security checks across malware telemetry and agentic risk

Overview

This ComfyUI image skill is mostly purpose-aligned, but it includes overbroad process-killing and low-visibility Feishu sending that users should review carefully before installing.

Install only if you are comfortable with local ComfyUI process control, generated images being saved locally, and optional Feishu upload/send behavior. Before use, remove or fix the taskkill /IM python.exe stop path, require explicit confirmation for Feishu sends and service stop/restart, and verify any downloaded model or helper executable source.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (19)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
pass
    
    try:
        subprocess.run(["taskkill", "/F", "/IM", "python.exe"], 
                      capture_output=True, timeout=10)
    except Exception:
        pass
Confidence
99% confidence
Finding
subprocess.run(["taskkill", "/F", "/IM", "python.exe"], capture_output=True, timeout=10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill declares only Bash/exec tools while the documented behavior clearly implies broader capabilities including network access, file read/write, and external messaging. This mismatch weakens permission transparency and can cause users or the platform to underestimate what the skill can actually do, especially when it starts services, saves outputs, and sends data to Feishu.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is local image generation, but the analyzed behavior extends to downloading model weights from arbitrary URLs, reading local Feishu credentials, and sending data externally via OpenClaw/Feishu. That is a significant scope expansion: arbitrary downloads create a supply-chain risk, and using locally stored tokens to exfiltrate generated content or metadata can expose sensitive information without clear user consent.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The bundled workflow hardcodes the prompt to generate explicit nude imagery ('Adult woman, nude...') while the skill is presented as a general-purpose image generation tool. This creates a hidden unsafe default behavior that can produce sexual content without clear disclosure, policy gating, or user intent, increasing the risk of accidental NSFW generation and downstream policy/compliance violations.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill includes host-level lifecycle management, including starting and forcibly stopping a desktop executable, which goes beyond simple image generation. In an agent environment, this increases the blast radius: a user asking to generate an image can implicitly trigger local process control and forceful termination behavior on the host.

Context-Inappropriate Capability

High
Confidence
100% confidence
Finding
The stop routine indiscriminately kills all python.exe processes, which is destructive and not justified by the skill's stated purpose of managing only ComfyUI. This becomes more dangerous in an agent environment where a user may reasonably expect only the image-generation service to be affected, not unrelated Python workloads.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This file implements a standalone capability to upload arbitrary local images to Feishu using locally stored credentials, which goes beyond pure local image generation and enables outbound data transfer. In the context of an image-generation skill, that materially increases the risk of unintended exfiltration of generated or user-supplied images to an external service.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script silently reads a Feishu access token from a fixed home-directory config path and uses it for network actions without additional validation or user consent. This creates a credential-use primitive that can be abused to send data through the user's Feishu account and weakens the boundary between local generation and external messaging.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script adds outbound messaging/exfiltration behavior to a skill primarily presented as a local image-generation tool. That broader capability is security-relevant because generated or local image files can be silently transmitted to an external user on Feishu, expanding the trust boundary beyond local processing.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Invoking an external messaging CLI gives the skill a communication channel that is not inherently necessary for local image generation. In the skill context, this makes misuse more dangerous because a compromised workflow or prompt-triggered action could send files to arbitrary recipients without the operator realizing the skill has networked messaging capability.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The changelog explicitly advertises 'Feishu silent send' and 'NO_REPLY on success', which reduces user visibility into when content is transmitted. In an agent skill that can generate and send images, suppressing normal confirmation can conceal unintended data sharing or automated outbound actions, especially if users assume the action stayed local.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The README advertises very broad natural-language triggers such as '生成图片、画图、绘制、AI 绘画、文生图、图生图', which are common phrases likely to appear in normal conversation. In an agent environment, this can cause accidental invocation of the skill in contexts where the user did not intend to start local image generation, potentially launching services, consuming GPU resources, or sending outputs through integrated channels like Feishu.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Very broad trigger phrases like '生成图片' or '画图' increase the chance of accidental invocation during normal conversation. In this skill's context, accidental activation is more dangerous because it can auto-start a local server, consume GPU resources, write files, and silently send outputs to Feishu.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill advertises silent Feishu sending without adequately warning that generated images and related content may be transmitted to an external messaging platform. Silent external transmission reduces user visibility and consent, making unintended disclosure of prompts, images, or contextual data more likely.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger list is broad and includes common phrases like '画一个' and '生成一张', which can match ordinary conversation and cause the skill to activate unexpectedly. In a skill that can start local services and process or transmit generated content, accidental invocation increases the chance of unintended actions, resource consumption, and user confusion.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The manifest advertises '飞书静默发送' (silent Feishu sending), indicating data may be transmitted to an external messaging platform without a clear user-facing warning or consent flow. Because this skill handles user prompts and generated images, silent outbound delivery can expose sensitive content, private prompts, or metadata to third parties without the user's awareness.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code performs broad destructive process termination without any user-facing disclosure that all python.exe processes may be killed. This creates a hidden denial-of-service risk and can abruptly interrupt unrelated jobs and corrupt in-memory work.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script transmits local image contents to Feishu and sends a message using existing credentials without any explicit disclosure, approval step, or warning to the user. In a skill that users may expect to operate locally, silent outbound transfer is dangerous because sensitive generated or source images may be sent off-device without informed consent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list contains very generic phrases such as '生成图片', '画图', '绘制', '画一个', and '生成一张', which are likely to match ordinary conversation and unintentionally invoke the skill. In an agent setting, overly broad activation can cause unauthorized local server startup, image generation, or file/path interactions without clear user intent, increasing the risk of accidental execution and abuse of local resources.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal