comfy-media

SUSPICIOUS: The declared capabilities mostly fit the stated purpose of local media review and export, and data flow stays local/localhost. The main concern is install trust: the core `comfy-media` tool is not verifiably sourced from an official publisher in the provided evidence, and the skill adds a transitive dependency on `comfy-tools-setup`; `npx hyperframes` is more defensible because it is documented and registry-backed. No clear credential harvesting, covert exfiltration, or malicious mismatch is shown.