comfyui-imagegen

This SKILL.md documents a plausible, mostly-local image-generation workflow using ComfyUI with structured JSON prompts. It does not contain explicit malicious code, downloads, or obfuscated payloads. However, the design includes several supply-chain and privacy risks: autonomous automatic uploading of generated images to external chat channels (Telegram) via a spawned sub-agent, usage of sessions_spawn that executes filesystem and messaging commands, and the ability to change the ComfyUI host which could redirect prompts/images to a remote, attacker-controlled server. These factors create a non-trivial risk of data exfiltration and unauthorized uploads if the skill is run without careful access controls and host verification. I assess this as not overtly malicious but as a moderately high-security-risk skill that requires governance: restrict spawn/sub-agent usage, require explicit user consent before each upload, and enforce host=localhost or verify remote host trust before use.