Standards
Security and other standards for publishing to the Registry
Base Standards
1. Community Value
Custom nodes must provide valuable functionality to the ComfyUI community
Avoid:
- Excessive self-promotion
- Impersonation or misleading behavior
- Malicious behavior
- Self-promotion is permitted only within your designated settings menu section
- Top and side menus should contain only useful functionality
2. Node Compatibility
Do not interfere with other custom nodes’ operations (installation, updates, removal)
- For dependencies on other custom nodes:
- Display clear warnings when dependent functionality is used
- Provide example workflows demonstrating required nodes
3. Legal Compliance
Must comply with all applicable laws and regulations
5. Quality Requirements
Nodes must be fully functional, well documented, and actively maintained.
6. Fork Guidelines
Forked nodes must:
- Have clearly distinct names from original
- Provide significant differences in functionality or code
Below are standards that must be met to publish custom nodes to the registry.
Security Standards
Custom nodes should be secure. We will start working with custom nodes that violate these standards to be rewritten. If there is some major functionality that should be exposed by core, please request it in the rfcs repo.
eval/exec Calls
Policy
The use of eval and exec functions is prohibited in custom nodes due to security concerns.
Reasoning
These functions can enable arbitrary code execution, creating potential Remote Code Execution (RCE) vulnerabilities when processing user inputs. Workflows containing nodes that pass user inputs into eval or exec could be exploited for various cyberattacks, including:
- Keylogging
- Ransomware
- Other malicious code execution
subprocess for pip install
Policy
Runtime package installation through subprocess calls is not permitted.
Reasoning
- First item ComfyUI manager will ship with ComfyUI and lets the user install dependencies
- Centralized dependency management improves security and user experience
- Helps prevent potential supply chain attacks
- Eliminates need for multiple ComfyUI reloads
Code Obfuscation
Policy
Code obfuscation is prohibited in custom nodes.
Reasoning
Obfuscated code:
- Impossible to review and likely to be malicious