Comfyui anfrage

Security checks across malware telemetry and agentic risk

Overview

This is a small ComfyUI client that does what it says, though users should only point it at a trusted server because it sends workflows and optional Basic Auth credentials over HTTP.

Install only if you intend to send workflows to a ComfyUI server you control or trust. Set COMFYUI_HOST and COMFYUI_PORT explicitly, avoid reusing important passwords for COMFYUI_USER/COMFYUI_PASS, and prefer a trusted local network, VPN, or HTTPS reverse proxy when credentials or sensitive prompts are involved.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill declares no explicit permissions even though its documented behavior requires reading environment variables and making network requests. This weakens security transparency and reviewability, because users and platforms may not realize the skill can access credentials and transmit data to a remote service.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill documentation says it sends workflow data and optional basic-auth credentials over plain HTTP to a remote ComfyUI server, but it does not warn users about the confidentiality risk. This can expose prompts, workflow contents, generated image data, and credentials to interception or unintended disclosure, especially on non-local or shared networks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal