Is dihan/comfy-ui safe?

https://github.com/openclaw/skills/tree/main/skills/dihan/comfy-ui

86
SAFE

The dihan/comfy-ui skill is a straightforward local image generation wrapper for ComfyUI with no prompt injection, no malicious installation behavior, no credential exfiltration, and a clean audit trail limited to expected GitHub clone traffic. The primary security concerns are theoretical: the Python script passes a user-configured server URL to urllib without validation (enabling prompt redirection if the environment variable is compromised), and server-provided filenames are interpolated into local paths without sanitization. An independent content concern is that the bundled workflow files ship pre-configured with a named-individual LoRA at 0.9 strength and sexual-content negative prompts, which raises policy and non-consensual deepfake risks beyond the security domain.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 88/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (7)

MEDIUM Server URL accepted without validation — prompt data could be redirected -15

comfy_gen.py passes the server_address argument directly to urllib.request.urlopen() for both the prompt submission POST and the history polling GET, with no domain validation, allowlist, or TLS certificate pinning. If COMFYUI_SERVER_ADDRESS is manipulated (e.g., via a malicious upstream skill, environment variable injection, or social engineering), all image generation prompts and downloaded outputs would be sent to an attacker-controlled server.

MEDIUM Bundled workflows pre-configured for sexualized image generation of named LoRA subject -18

Both Z-Image-BigLove.json and Z-Image-Turbo.json reference LoRA checkpoints keyed to a named subject ('l1lly') and include negative prompts explicitly modulating sexual body characteristics. This indicates the skill ships pre-configured for generating sexualized likenesses of a named individual, which raises non-consensual deepfake concerns and may violate platform content policies. The LoRA is disabled in BigLove (on: false) but enabled at 0.9 strength in Turbo.

LOW Server-provided image filename interpolated into local path without sanitization -10

The script constructs the local save path by directly interpolating the filename returned by the ComfyUI API: f"image-gens/{filename}". A malicious or compromised ComfyUI server could return a crafted filename such as '../../../.bashrc' or '../../.ssh/authorized_keys' to write files outside the intended image-gens/ directory, potentially overwriting sensitive files.

LOW Undocumented 'sync to local document folders' capability with no scope definition -5

SKILL.md describes an Auto-Backup feature that 'can be configured to sync to local document folders' with no specification of which folders, what data is included, or where synced files go. This implies a latent capability to read and copy user files beyond the image-gens/ directory that is not implemented in the reviewed code but could be added via workflow configuration.

INFO SKILL.md is clean — no injection patterns detected 0

Full review of SKILL.md found no instruction-override text, persona-switch directives, hidden Unicode, HTML comments, base64-encoded payloads, or instructions to fetch external URLs. The document is straightforward usage documentation for a local image generation tool.

INFO Installation limited to expected GitHub sparse-checkout traffic 0

Network capture confirms the only external TCP connection initiated during skill installation was to GitHub (140.82.121.3:443) via git-remote-https for the sparse-checkout clone. DNS resolution queried only github.com. The 185.125.188.54:443 (Ubuntu/Canonical) connection was present in the BEFORE network snapshot and is unrelated to the skill install.

INFO All honeypot credentials accessed but confirmed intact 0

The monitoring framework's canary integrity check reports all honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) are unmodified and were not transmitted to any network endpoint. The read events logged at 1771921508.640 and 1771921532.788 align with the Oathe framework's own baseline-read and post-test-verification phases, not with any action taken by the skill code or its installation process.