Standards

Base Standards

1. Community Value

Custom nodes must provide valuable functionality to the ComfyUI community

Avoid:

Excessive self-promotion
Impersonation or misleading behavior
Malicious behavior
Self-promotion is permitted only within your designated settings menu section
Top and side menus should contain only useful functionality

2. Node Compatibility

Do not interfere with other custom nodes’ operations (installation, updates, removal)

For dependencies on other custom nodes:
- Display clear warnings when dependent functionality is used
- Provide example workflows demonstrating required nodes

3. Legal Compliance

Must comply with all applicable laws and regulations

5. Quality Requirements

Nodes must be fully functional, well documented, and actively maintained.

6. Fork Guidelines

Forked nodes must:

Have clearly distinct names from original
Provide significant differences in functionality or code

Below are standards that must be met to publish custom nodes to the registry.

Security Standards

Custom nodes should be secure. We will start working with custom nodes that violate these standards to be rewritten. If there is some major functionality that should be exposed by core, please request it in the rfcs repo.

eval/exec Calls

Policy

The use of eval and exec functions is prohibited in custom nodes due to security concerns.

Reasoning

These functions can enable arbitrary code execution, creating potential Remote Code Execution (RCE) vulnerabilities when processing user inputs. Workflows containing nodes that pass user inputs into eval or exec could be exploited for various cyberattacks, including:

Keylogging
Ransomware
Other malicious code execution

subprocess for pip install

Policy

Runtime package installation through subprocess calls is not permitted.

Reasoning

First item ComfyUI manager will ship with ComfyUI and lets the user install dependencies
Centralized dependency management improves security and user experience
Helps prevent potential supply chain attacks
Eliminates need for multiple ComfyUI reloads

Code Obfuscation

Policy

Code obfuscation is prohibited in custom nodes.

Reasoning

Obfuscated code:

Impossible to review and likely to be malicious

ComfyUI Server

CLI

Develop Custom Nodes

Registry

Specifications

Base Standards

1. Community Value

2. Node Compatibility

3. Legal Compliance

5. Quality Requirements

6. Fork Guidelines

Security Standards

eval/exec Calls

Policy

Reasoning

subprocess for pip install

Policy

Reasoning

Code Obfuscation

Policy

Reasoning

ComfyUI Server

CLI

Develop Custom Nodes

Registry

Specifications

​Base Standards

​1. Community Value

​2. Node Compatibility

​3. Legal Compliance

​5. Quality Requirements

​6. Fork Guidelines

​Security Standards

​eval/exec Calls

​Policy

​Reasoning

​subprocess for pip install

​Policy

​Reasoning

​Code Obfuscation

​Policy

​Reasoning

Base Standards

1. Community Value

2. Node Compatibility

3. Legal Compliance

5. Quality Requirements

6. Fork Guidelines

Security Standards

eval/exec Calls

Policy

Reasoning

subprocess for pip install

Policy

Reasoning

Code Obfuscation

Policy

Reasoning