Base Standards

1. Community Value

Custom nodes must provide valuable functionality to the ComfyUI community

Avoid:

  • Excessive self-promotion
  • Impersonation or misleading behavior
  • Malicious behavior
  • Self-promotion is permitted only within your designated settings menu section
  • Top and side menus should contain only useful functionality

2. Node Compatibility

Do not interfere with other custom nodes’ operations (installation, updates, removal)

  • For dependencies on other custom nodes:
    • Display clear warnings when dependent functionality is used
    • Provide example workflows demonstrating required nodes

Must comply with all applicable laws and regulations

5. Quality Requirements

Nodes must be fully functional, well documented, and actively maintained.

6. Fork Guidelines

Forked nodes must:

  • Have clearly distinct names from original
  • Provide significant differences in functionality or code

Below are standards that must be met to publish custom nodes to the registry.

Security Standards

Custom nodes should be secure. We will start working with custom nodes that violate these standards to be rewritten. If there is some major functionality that should be exposed by core, please request it in the rfcs repo.

eval/exec Calls

Policy

The use of eval and exec functions is prohibited in custom nodes due to security concerns.

Reasoning

These functions can enable arbitrary code execution, creating potential Remote Code Execution (RCE) vulnerabilities when processing user inputs. Workflows containing nodes that pass user inputs into eval or exec could be exploited for various cyberattacks, including:

  • Keylogging
  • Ransomware
  • Other malicious code execution

subprocess for pip install

Policy

Runtime package installation through subprocess calls is not permitted.

Reasoning

  • First item ComfyUI manager will ship with ComfyUI and lets the user install dependencies
  • Centralized dependency management improves security and user experience
  • Helps prevent potential supply chain attacks
  • Eliminates need for multiple ComfyUI reloads

Code Obfuscation

Policy

Code obfuscation is prohibited in custom nodes.

Reasoning

Obfuscated code:

  • Impossible to review and likely to be malicious

Was this page helpful?

Suggest edits
Publishing NodesCustom Node CI/CD