comfy-cli

[Skill Scanner] Credential file access detected Based on the documentation alone, the skill's declared capabilities align with its purpose: installing and managing ComfyUI, nodes, and models. The primary security concern is standard supply-chain risk: the CLI fetches and installs third-party code and models (including PR builds and arbitrary URLs) and stores API tokens locally. Those actions are expected for this tool but require safe implementation (validate signatures, use official endpoints, avoid executing untrusted scripts blindly, protect config tokens). No explicit malicious behavior or obfuscation is visible in the supplied text. Because no implementation code was provided, this assessment cannot detect implementation-level issues (e.g., insecure downloads, command injection, telemetry to unexpected endpoints). Recommend reviewing the actual implementation for how downloads are verified, where network endpoints are contacted, and how external install scripts are executed before trusting and running the CLI. LLM verification: The skill's declared capabilities match a legitimate ComfyUI management CLI and the requested config/tokens are proportionate to model downloads. However, because it downloads and installs builds, node packages, and models from remote sources and executes installs and launched processes, it presents moderate supply-chain risk if sources are untrusted or if the implementation does not verify integrity. I find no direct evidence of hidden malware or obfuscation in the provided documentation, but t