Runninghub

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only RunningHub integration whose cloud API and API-key use fit its stated ComfyUI workflow purpose.

Install this if you want your agent to use RunningHub’s cloud API. Provide an API key only when needed, prefer a revocable key, confirm paid generation or workflow publishing actions, and avoid sending sensitive prompts, private media, secrets, or regulated data unless you are comfortable sharing them with RunningHub.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The activation conditions are overly broad and could trigger this skill for many generic image/video or workflow-related requests, causing unintended routing to a third-party service. In context, this increases the chance that user prompts, media, or workflow parameters are sent externally without a clear, specific user request to use RunningHub.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill describes API usage but does not warn users that prompts, workflow inputs, images, videos, and account-linked data will be transmitted to RunningHub using an API key. This lack of disclosure can lead to privacy, consent, and data-handling risks, especially for sensitive prompts or user-supplied media.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal