Back to skill

Security audit

Comfyui Workflow

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a legitimate ComfyUI workflow runner, but it has under-disclosed local process, directory-inventory, and persistence behavior that users should review first.

Install only if you are comfortable letting the skill interact with your ComfyUI server, upload the media files you provide, and save generated outputs locally. Prefer starting ComfyUI yourself and using `--no-ensure`, keep model inventory scans limited to directories you approve, and review saved media metadata before sharing generated files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill goes beyond executing workflows and directs the agent to build and maintain persistent knowledge caches about the user's environment across sessions. That expands the data collection surface and can retain sensitive local information about installed models, paths, workflow capabilities, and operational habits without a clear need for the core task.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Instructing the agent to scan the user's model directories is broader than necessary for executing or inspecting a selected ComfyUI workflow. Directory scanning can reveal unrelated local assets, model names, folder structures, and potentially proprietary or sensitive information, making the skill more invasive than its stated purpose suggests.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The skill is presented as a workflow executor, but it can also auto-start local infrastructure via `comfy_control.sh`, which materially increases its power and side effects on the host. In an agent setting, unexpected service launch behavior can violate least-privilege expectations and may be abused to trigger unauthorized local process execution.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation tells the agent to clean example content and populate knowledge-cache files, which implies overwriting local files, but it does not foreground that this is a write operation with possible data loss. Silent or poorly disclosed modification of local documentation/state files is risky because it can destroy prior content or create persistent records the user did not expect.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The optional `--check-ps` path performs broad host inspection through PowerShell, including process enumeration, event log access, and GPU telemetry collection. In an agent/tool context, this expands data exposure beyond workflow execution and could reveal sensitive host metadata without sufficiently prominent warning or explicit consent boundaries.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The workflow includes a SaveImage node that persists generated images to disk using a fixed filename prefix, but the workflow itself contains no user-facing disclosure that outputs will be written locally. In an agent/skill context, silent persistence can leak sensitive prompts or generated content to shared disks, backups, or other local users, especially if users expect ephemeral processing.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This workflow contains output nodes configured with save_output enabled and concrete filename prefixes, which causes generated videos to be written to disk automatically. That behavior is not inherently malicious, but without clear user-facing disclosure it can surprise users, leak sensitive generated content into persistent storage, and create privacy or disk-usage issues in an agent-executed context.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The video output configuration sets save_metadata to true, meaning workflow or prompt-related metadata may be embedded in saved media files. In an agent skill, this can expose prompts, settings, model choices, or other sensitive context to anyone who later accesses or shares the output file, especially since there is no explicit warning in this file.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
A second VHS_VideoCombine node is configured to save merged video output automatically to disk using a dated filename prefix. In the context of a workflow executor skill, automatic persistence increases risk because generated media may contain sensitive user inputs or derived content and the user may not realize a durable file has been created.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow writes generated outputs to disk automatically via SaveImage and later also saves video output, using date/time-based paths, without any visible disclosure or consent mechanism in the workflow file. In an agent-executed context, silent persistence can expose sensitive user-provided media or generated content to unintended retention, later access, or leakage through shared workspaces and logs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The video combine node is configured to save output and preserve metadata by default, which can embed prompts, workflow details, or other generation context into the produced media file without warning. In a reusable agent skill, this increases the risk of unintentional disclosure of user inputs, model choices, or operational details when files are shared or uploaded elsewhere.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.