Security audit

Comfy UI Complete Toolkit

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only ComfyUI helper whose remote/cloud use has normal data and cost considerations but no hidden executable behavior.

Install this if you want an agent to help operate ComfyUI. Use only ComfyUI servers you trust, avoid putting secrets in setup notes, and confirm before large batches, paid cloud GPU runs, output retrieval from hosted systems, or interrupting active jobs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The README explicitly promotes submitting workflows and batch jobs to local, remote, and cloud ComfyUI instances, but it does not clearly warn users that prompts, images, metadata, and GPU/compute usage may be sent to and processed on external infrastructure. In an agent-driven setting, this omission can lead users to authorize actions without understanding data exposure, cost, or resource-consumption implications, especially for remote endpoints.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal