ComfyUI TTS

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward ComfyUI text-to-speech wrapper, with input-validation weaknesses but no evidence of hidden, destructive, or deceptive behavior.

Install only if you trust the ComfyUI server you configure. Avoid sending sensitive text to remote or shared ComfyUI hosts, keep character/style/model values within normal documented choices, and use output paths that will not overwrite important files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill description omits that user-provided text is sent to an HTTP API service and that generated audio is written to disk. This creates a privacy and data-handling risk because users may unknowingly transmit sensitive content to another service and leave artifacts stored locally.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal