中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 10/100
上次扫描:1 天前 重新扫描
10 /100
comfyskill
ComfyUI image generation skill - sends prompts to local ComfyUI instance
A straightforward ComfyUI image generation skill with no malicious behavior; code matches documentation and uses only declared local network/filesystem access.
技能名称comfyskill
分析耗时26.8s
引擎pi
可以安装
Skill is safe to use. Consider documenting the environment variables (COMFYUI_ENDPOINT, WORKFLOW_PATH) in SKILL.md for transparency.

安全发现 1 项

严重性 安全发现 位置
低危
Undeclared environment variable access 文档欺骗
The code reads COMFYUI_ENDPOINT and WORKFLOW_PATH from process.env, but SKILL.md only mentions 'endpoint' and 'workflow' without clarifying these are environment variables.
const endpoint = process.env.COMFYUI_ENDPOINT || "http://127.0.0.1:8188";
→ Add environment variable documentation to SKILL.md for full transparency.
 index.js:5
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 index.js:6 - fs.readFileSync reads workflow JSON
网络访问 WRITE WRITE ✓ 一致 index.js:14 - fetch POST to local endpoint
环境变量 NONE READ ✓ 一致 index.js:5,7 - reads COMFYUI_ENDPOINT and WORKFLOW_PATH from env
1 项发现
🔗
中危 外部 URL 外部 URL
http://127.0.0.1:8188
SKILL.md:13

目录结构

4 文件 · 2.7 KB · 62 行
JavaScript 1f · 26L JSON 2f · 22L Markdown 1f · 14L
├─ 📜 index.js JavaScript 26L · 868 B
├─ 📋 package.json JSON 10L · 140 B
├─ 📝 SKILL.md Markdown 14L · 294 B
└─ 📋 workflow.json JSON 12L · 1.4 KB

安全亮点

✓ Network access restricted to localhost (127.0.0.1:8188) only - no external communication
✓ No credential theft - does not access SSH, AWS, or other sensitive credential paths
✓ No data exfiltration - generated images stay local
✓ No obfuscation - code is clear and readable
✓ No shell execution or subprocess usage
✓ No remote script execution (curl|bash, wget|sh)
✓ No base64 or eval obfuscation patterns
✓ Dependencies are minimal (no external packages beyond Node.js built-ins)