comfyui-mcp-secure
A secure MCP (Model Context Protocol) server for ComfyUI. Enables AI assistants like Claude to generate images, run workflows, and manage jobs through ComfyUI — with built-in security controls that existing ComfyUI MCP servers lack.
Using Claude? This repo also ships as a Claude Code plugin — 8 /comfy:* slash commands (/comfy:gen, /comfy:workflow, /comfy:troubleshooting, …) and a PostToolUse security hook, all pre-wired to the MCP server. One command to install: claude plugin install . See Install as a Claude plugin for the full reference + worked end-to-end example.
Why this exists
Every existing ComfyUI MCP server is a thin passthrough to ComfyUI's API with no security guardrails. They allow arbitrary workflow execution (including malicious custom nodes that run eval/exec), have no input validation, no file path sanitization, no rate limiting, and no audit trail.
This server adds five security layers between the AI assistant and ComfyUI:
| Layer | What it does |
|---|
| Workflow Inspector | Parses every workflow before execution, extracts node types, flags dangerous patterns (eval, exec, __import__, subprocess). Configurable audit-only or enforcement mode. |
| Path Sanitizer | Validates all filenames, subfolders, and URL path segments — blocks path traversal (../), null bytes, percent-encoded attacks, absolute paths, and disallowed file extensions. |
| Rate Limiter | Token-bucket rate limiting per tool category to prevent runaway loops. |
| Audit Logger | Structured JSON logging of every operation with automatic redaction of sensitive fields (tokens, passwords). |
| Selective API Surface | Only exposes safe ComfyUI endpoints. Dangerous endpoints (/userdata, /free, /users) are never proxied. /system_stats is called internally by comfyui_get_system_info but only a strict whitelist (GPU VRAM, queue counts, version) is returned. |
Real-time progress tracking
When wait=True is passed to comfyui_generate_image or comfyui_run_workflow, the server connects to ComfyUI's WebSocket to track execution in real time — reporting step progress, current node, and output files when complete. If the WebSocket connection fails, it automatically falls back to HTTP polling. Use comfyui_get_progress to check status of any job at any time.
For workflow streaming, use the mode that matches your use case:
comfyui_run_workflow(..., wait=True) returns a summarized, tool-friendly completion response.comfyui_run_workflow_stream(...) returns raw WebSocket event flow (progress, executing, executed, etc.) plus final status and outputs.
Structured output & rich schemas
Tools expose Pydantic Field constraints on input parameters (ranges, lengths, descriptions) and outputSchema for structured responses. MCP clients get:
- Input validation: Parameter constraints like
steps: 1-100, cfg: 1.0-30.0, width: 64-4096 appear in the tool's JSON schema
- Output schemas: 26 tools return structured data with auto-generated
outputSchema, enabling clients to parse responses without guessing the shape
- Streamable HTTP transport: Optional remote transport via
transport.remote.enabled using the MCP spec's recommended Streamable HTTP protocol
Recent Breaking Changes (2026-05)
2.1.0 (2026-05-12) is additive — no breaking changes since 2.0.0. Adds
comfyui_analyze_workflow, replaces the bespoke Ollama eval runner with an
Inspect AI Task module, and introduces a Phase 5 live-execution eval. See
the CHANGELOG for the full per-PR breakdown. The breaking
changes below all shipped in 2.0.0.
Parameter renames — update keyword arguments (positional calls are unaffected):
comfyui_install_custom_node, comfyui_uninstall_custom_node, comfyui_update_custom_node: id → node_id.comfyui_summarize_workflow: format → output_format, restricted to text or mermaid via a Pydantic Literal.
Response-shape changes — these tools now return the standard pagination envelope {items, total, offset, limit, has_more} instead of bare lists or raw dicts:
comfyui_list_extensions (was: list[str])comfyui_list_model_folders (was: list[str])comfyui_list_workflows (was: dict[package_name, list[template]]; now flattened to items: [{package, templates}])
Callers must update to read result["items"] instead of indexing the response directly. The new envelope also exposes limit and offset parameters for pagination.
Unified return envelope for workflow-submitting tools — comfyui_run_workflow, comfyui_run_workflow_stream, comfyui_generate_image, comfyui_transform_image, comfyui_inpaint_image, comfyui_upscale_image now all return a uniform dict[str, Any] regardless of wait/stream mode:
