Trust Assessment
comfyui-api received a trust score of 79/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Missing required field: name, Unvalidated server URL allows prompt data exfiltration.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unvalidated server URL allows prompt data exfiltration The `set_url` function allows setting an arbitrary `server_url` without validation of the host or scheme. Subsequent `generate` commands will send user-provided `prompt_data` to this configured server via HTTP POST or WebSocket. An attacker could configure a malicious `server_url` to exfiltrate sensitive user prompts. Implement strict validation for the `server_url` in the `set_url` method. This should include checking for valid URL schemes (e.g., `http`, `https`), and potentially restricting the host to a whitelist or preventing connections to private/internal IP ranges if the skill is not intended for such use. | LLM | comfyui.py:37 | |
| MEDIUM | Missing required field: name The 'name' field is required for openclaw skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/qqliaoxin/comfyui-api/SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/f64e8226769e7371)
Powered by SkillShield