Security feature

[VyneNave]

I'm fairly new to ComfyUI, but have worked for nearly 2 years now with Automatic1111. I do see some good features with ComfyUI and some that Automatic1111 has but ComfyUI doesn't. But it seems that everything that can enhance ComfyUI really much depends on ComfyUI Manager. So like a lot of AI enthusiasts I heard of the big security issue that happened when a hacker snuck code into ComfyUI nodes ( I think it was nodes). Since I really like to avoid being the victim of data theft I'm:

1. A little hesistant about using ComfyUI manager, since it seems like the perfect opportunity for strangers to sneak in some problematic code.
2. Wondering if this update "V2.37 Show a ✅ mark to accounts that have been active on GitHub for more than six months." couldn't be a security risk. It seems like this could make people believe that a user is trustworthy even though six months is not that long and since the last hacker stole a lot of information there is really no guarantee that another hacker couldn't have stolen someones github account information and use that account to trick people.

I'm not sure how actively the next security features are worked on, but maybe it would be a good idea to either raise the time needed or put multiple verification conditions in place, to make sure a person is not only active for a specific amount of time, but also has met other conditions.

[ltdrdata]

The 6-month based marker was initially added as a temporary measure, and I agree that it is too short.
It would be better to extend the period to 2 years for now.
This is still a temporary measure, and ultimately, verification will be done through comfyregistry.

[andreszs]

To enhance user awareness, a confirmation prompt could be displayed before installing relatively new or lesser-known plugins.

For example, you already track the number of stars on repositories, which is a helpful indicator. If a repository has fewer than 100 stars, a native JavaScript confirm() message could be shown to the user before proceeding with the installation:

The following plugins are not widely recognized by the community:

• ComfyUI-Melfish-Custom-Scripts
• ComfyUI-Bitcoin-Mining-Nodes
• ComfyUI-Super-Password-Keylogger-Helper

Installing untrusted plugins could compromise your system. Are you sure you want to continue?

While this approach isn't foolproof, it would help raise awareness of the risks associated with installing unknown plugins, as the OP wisely deduced. After all, the Plugin Manager effectively exposes your system to potential attackers by allowing malicious code to be hidden within seemingly innocent ComfyUI nodes. The Manager, now as popular as ComfyUI itself, could and should begin serving as a gatekeeper between unaware users and malicious repositories.