Back to skill

Security audit

ComfyUI Painter

Security checks across malware telemetry and agentic risk

Overview

This image-generation skill mostly matches its stated purpose, but it has broad triggers and over-scoped local process and file-writing behavior that users should review before installing.

Install only if you are comfortable with this skill controlling a local ComfyUI instance, using a CivitAI API key, downloading third-party model files, modifying config.json, and sending generated images to Discord. Before use, restrict activation to explicit commands, bind ComfyUI to localhost unless remote access is intentional, replace the all-Python kill command with PID-specific shutdown, reject absolute paths and path separators in download filenames, and require confirmation before downloads or persistent config changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (16)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
f"-ArgumentList '{COMFY['main_path']}','--listen','0.0.0.0','--port','{COMFY['port']}' "
        f"-WorkingDirectory '{COMFY['work_dir']}' -WindowStyle Hidden"
    )
    subprocess.run([POWERSHELL, "-Command", cmd], capture_output=True, timeout=15)
    
    # 等待启动
    for _ in range(timeout // 2):
Confidence
90% confidence
Finding
subprocess.run([POWERSHELL, "-Command", cmd], capture_output=True, timeout=15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def stop() -> bool:
    subprocess.run(
        [POWERSHELL, "-Command",
         "Get-Process python -ErrorAction SilentlyContinue | Stop-Process -Force"],
        capture_output=True, timeout=10
Confidence
97% confidence
Finding
subprocess.run( [POWERSHELL, "-Command", "Get-Process python -ErrorAction SilentlyContinue | Stop-Process -Force"], capture_output=True, timeout=10 )

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill documentation describes capabilities including environment access, file read/write, network access, and shell execution, yet no explicit permissions are declared. This creates a mismatch between what the skill can do and what reviewers or users may expect, increasing the chance of silent process execution, filesystem access, and network activity without informed approval.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The design explicitly reads a Discord bot token from a user config file even though the documented purpose is local image generation via ComfyUI. Access to bot credentials expands the skill's privileges into Discord account control, creating unnecessary secret exposure and increasing the blast radius if the skill is compromised or misused.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The shutdown command uses a blanket `Get-Process python | Stop-Process -Force`, which can terminate unrelated Python programs on the host, not just ComfyUI. In this environment, that can disrupt other automation, services, or security tooling and amounts to destructive behavior beyond the skill's stated purpose.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The stop() implementation does not stop only the managed ComfyUI instance; it forcibly stops all Python processes system-wide. In the context of an agent skill that may run on a shared workstation or automation host, this can cause denial of service, data loss, and interruption of unrelated workloads.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill claims to manage ComfyUI specifically, but the implementation of '关闭 ComfyUI' kills every Python process. This mismatch is dangerous because users and higher-level agents may invoke it assuming a scoped operation, causing unexpected broad system disruption.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger design activates on any message in the Discord image channel, not just clear user intent to run the skill. That broad activation can cause accidental execution, resource consumption, model downloads, or other side effects from ordinary conversation or pasted content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The design states that a Discord bot token will be read from a local config but does not disclose this credential access in a user-facing way. Hidden secret access reduces informed consent and makes misuse or overcollection of credentials harder to detect, especially for a skill whose main function is image generation.

Vague Triggers

High
Confidence
98% confidence
Finding
The trigger conditions are overly broad, including common phrases and any message in a specific Discord channel, which can cause the skill to activate on unrelated or unintended user input. Because the skill can start local services, download models, and send files to Discord, accidental invocation materially increases the attack surface and risk of unauthorized actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow states that ComfyUI will be automatically started if it is not running, but it does not mention user consent, process visibility, or operational risks. Unprompted process creation can consume GPU/CPU resources, alter host state, and surprise users in environments where local execution should be tightly controlled.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill copies generated images into a workspace temp directory and sends them to a Discord channel, but the documentation does not warn about external sharing or retention risks. Since generated images may contain sensitive prompts, embedded metadata, or private user content, silent upload to a third-party service can cause unintended disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs users to store a CivitAI API key in a plaintext markdown file, which is an insecure credential handling pattern. Plaintext secrets are easier to leak through backups, logs, workspace access, or accidental file sharing, especially in an environment with file read capabilities.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The `update-all` CLI path writes tuned parameters directly into the persistent config via `_save_config(cfg)` without any confirmation, dry-run mode, backup, or warning to the user. In this skill context, that can silently alter future image-generation behavior across all known models, causing unexpected workflow changes or destructive configuration drift if bad metadata or a mistaken invocation is used.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The function downloads arbitrary remote content directly into the ComfyUI model checkpoints directory with no confirmation, file-type verification, size guard, or integrity check. In this skill context, that is more dangerous because the explicit purpose is to fetch and install third-party models, so a user or upstream response can cause unreviewed files to be persisted into a sensitive runtime path.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The function performs an immediate forced termination of all Python processes without any safety check, confirmation, or graceful shutdown attempt. In an automated agent setting, this increases the chance of accidental destructive actions because a simple 'stop ComfyUI' request can unexpectedly kill unrelated software.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.