comfyui

clawhub:comfyui

View source

92/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

92/100

MEDIUM 1

LOW 1

Findings (2)

MEDIUM

Conditional download and install EXTDL_014

external-download L43

Detects patterns that check for tool existence and install if missing

If not installed:** Install ComfyUI (e.g. clone the repo, create a venv, install

FIX

Replace conditional download-and-install logic with explicit dependency declarations in a manifest file (package.json, requirements.txt). Verify checksums for any runtime downloads.

FP?

Likely FP if the conditional install is documentation showing standard prerequisite checks (e.g., checking if a tool is installed before installing it).

LOW

User-provided URL consumed by agent INDIRECT_005

indirect-injection L99

Detects skills where user-provided URLs are consumed and processed by the agent

download. Input: URL

FIX

Validate and sanitize user-provided URLs before fetching them. Implement URL allowlisting, block private/internal IP ranges, and treat fetched content as untrusted data.

FP?

Likely FP if the skill is a web browser or URL fetcher where consuming user-provided URLs is the documented core feature with appropriate sandboxing.