Scan Report
10 /100
comfyskill
ComfyUI image generation skill - sends prompts to local ComfyUI instance
A straightforward ComfyUI image generation skill with no malicious behavior; code matches documentation and uses only declared local network/filesystem access.
Safe to install
Skill is safe to use. Consider documenting the environment variables (COMFYUI_ENDPOINT, WORKFLOW_PATH) in SKILL.md for transparency.
Findings 1 items
| Severity | Finding | Location |
|---|---|---|
| Low | Undeclared environment variable access Doc Mismatch | index.js:5 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | READ | ✓ Aligned | index.js:6 - fs.readFileSync reads workflow JSON |
| Network | WRITE | WRITE | ✓ Aligned | index.js:14 - fetch POST to local endpoint |
| Environment | NONE | READ | ✓ Aligned | index.js:5,7 - reads COMFYUI_ENDPOINT and WORKFLOW_PATH from env |
1 findings
Medium External URL 外部 URL
http://127.0.0.1:8188 SKILL.md:13 File Tree
4 files · 2.7 KB · 62 lines JavaScript 1f · 26L
JSON 2f · 22L
Markdown 1f · 14L
├─
index.js
JavaScript
├─
package.json
JSON
├─
SKILL.md
Markdown
└─
workflow.json
JSON
Security Positives
✓ Network access restricted to localhost (127.0.0.1:8188) only - no external communication
✓ No credential theft - does not access SSH, AWS, or other sensitive credential paths
✓ No data exfiltration - generated images stay local
✓ No obfuscation - code is clear and readable
✓ No shell execution or subprocess usage
✓ No remote script execution (curl|bash, wget|sh)
✓ No base64 or eval obfuscation patterns
✓ Dependencies are minimal (no external packages beyond Node.js built-ins)