Trust Assessment
ComfyUI received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 12 findings: 2 critical, 6 high, 4 medium, and 0 low severity. Key findings include Arbitrary command execution, Suspicious import: urllib.request, Dangerous call: subprocess.run().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 11/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings12
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/kelvincai522/comfyui/scripts/download_weights.py:127 | |
| CRITICAL | Unverified external executable download The `download_weights.py` script downloads the `pget` executable from `https://github.com/replicate/pget/releases/latest/download` without any hash verification or version pinning. This allows an attacker to substitute a malicious `pget` binary if the GitHub repository or release infrastructure is compromised, leading to arbitrary code execution on the user's machine. Pin the `pget` version to a specific release and verify its integrity using a cryptographic hash (e.g., SHA256) before execution. Alternatively, instruct the user to install `pget` manually or use a package manager. | LLM | scripts/download_weights.py:90 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'download_with_pget'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/kelvincai522/comfyui/scripts/download_weights.py:127 | |
| HIGH | Potential data exfiltration: file read + network send Function 'get_pget_binary' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/kelvincai522/comfyui/scripts/download_weights.py:87 | |
| HIGH | Potential data exfiltration: file read + network send Function 'download_one_fallback' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/kelvincai522/comfyui/scripts/download_weights.py:140 | |
| HIGH | Arbitrary file download from untrusted URLs The `download_weights.py` script is designed to download model weights from URLs provided by the user. This allows an attacker to supply URLs pointing to malicious files, which will then be downloaded and stored within the `~/ComfyUI/models/` directory. While the skill itself doesn't execute these files, their presence in a trusted location could be exploited by ComfyUI or other processes, leading to various attacks (e.g., code execution if ComfyUI loads a malicious model, or data corruption). Implement strict URL validation (e.g., allowlist of trusted domains, file type checks). Warn the user about the risks of downloading models from untrusted sources. Consider sandboxing the download process or isolating the downloaded files. | LLM | scripts/download_weights.py:200 | |
| HIGH | Broad filesystem access and arbitrary command execution The skill operates with extensive permissions within the user's home directory (`~`). It instructs the LLM to perform actions such as `git clone`, `pip install`, downloading executables (`pget`), and running Python scripts (`main.py`, `comfyui_run.py`, `download_weights.py`). This broad access, combined with the ability to download and install arbitrary software and files based on user input, presents a significant security risk. A malicious user could leverage these capabilities to install harmful software, modify system files, or exfiltrate data from the user's home directory. Restrict the skill's operating environment to a more confined sandbox if possible. Limit the scope of filesystem access to only necessary directories. Implement stricter validation and sanitization of all user-provided inputs that influence file paths or commands. | LLM | SKILL.md:67 | |
| HIGH | Potential command injection via unsanitized paths in shell commands The skill instructs the LLM to construct and execute shell commands where parts of the command, such as file paths (`<path-to-edited-json>`, `/tmp/weight_urls.txt`), are derived from user input or LLM-generated content. If the LLM fails to properly sanitize or quote these paths, an attacker could inject shell metacharacters (e.g., `;`, `&`, `|`, `$(...)`) to execute arbitrary commands. Instruct the LLM to always use proper quoting (e.g., `shlex.quote()` in Python) for any user-controlled or LLM-generated strings that are inserted into shell commands. Ensure that temporary file paths are securely generated and handled. | LLM | SKILL.md:57 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/kelvincai522/comfyui/scripts/comfyui_run.py:7 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/kelvincai522/comfyui/scripts/download_weights.py:17 | |
| MEDIUM | Unpinned Git clone for ComfyUI installation The skill instructs the LLM to install ComfyUI using `git clone https://github.com/comfyanonymous/ComfyUI.git ~/ComfyUI`. This command clones the `main` branch without specifying a particular commit hash or tag. This introduces a supply chain risk, as future changes to the `main` branch could introduce vulnerabilities or malicious code that would be automatically pulled and executed. Instruct the LLM to clone a specific, verified commit hash or release tag of the ComfyUI repository to ensure reproducibility and security. | LLM | SKILL.md:69 | |
| MEDIUM | Unpinned Python dependencies The skill instructs the LLM to install Python dependencies using `~/ComfyUI/venv/bin/pip install -r requirements.txt`. The `requirements.txt` file is not provided in the skill context, but the instruction itself implies that dependencies are installed without explicit version pinning. This can lead to non-reproducible builds and introduce vulnerabilities if a dependency's latest version contains security flaws. Ensure that `requirements.txt` (or equivalent dependency management) explicitly pins all dependencies to specific versions (e.g., `package==1.2.3`) to prevent unexpected updates and potential supply chain attacks. | LLM | SKILL.md:72 |
Scan History
Embed Code
[](https://skillshield.io/report/f5aed2319d58e1db)
Powered by SkillShield