SkillTotal

Is AUTOMATIC1111/stable-diffusion-webui safe?

stable-diffusion-webui is an AI npm_package analyzed by SkillTotal's deterministic static scanner. The scan found no malicious indicators, though 7 risky constructs are reported for review. It can: dynamic code execution, filesystem read, filesystem write, network egress and shell execution — capabilities are what the code can do, not a verdict on intent. Risk score 10/100 (low).

stable-diffusion-webui 0.0.0

npm_package · https://github.com/AUTOMATIC1111/stable-diffusion-webui
LOW
10
/ 100 risk score
Snapshot · scanned Jul 2, 2026 · stable-diffusion-webui@0.0.0 · engine 0.24.0 / ruleset 25
No malicious indicators - review capabilities before installing
Notable — review in context (capabilities are not malware):
  • Python shell/command execution
  • Python dynamic code execution
  • Python filesystem write/delete

No malicious indicators found by static analysis.

Automated static-analysis result. It can contain false positives and false negatives, and is not a claim about the intent of AUTOMATIC1111/stable-diffusion-webui's authors. Report a false positive.

Capabilities — what this component can do (not a risk score):
dynamic code executionfilesystem readfilesystem writenetwork egressshell execution

Findings (7)

HIGHPython dynamic code executionST-DYN-PY

The code turns strings into live code at runtime (eval / new Function / exec).

exec(compile(init_ast, "<ast>", "exec"), module.__dict__)
return eval(compile(convertExpr2Expression(last_ast.body[0]), "<ast>", "eval"), module.__dict__)
exec(compile(last_ast, "<ast>", "exec"), module.__dict__)

Why it matters: If those strings aren't fixed and trusted, they become a way to run arbitrary code.

Fix: Avoid evaluating dynamically constructed code; if unavoidable, ensure the input is a trusted constant and never derived from external data.

HIGHPython shell/command executionST-SHELL-PY

The component can run operating-system commands or spawn processes.

ret = subprocess.check_output(
            [self.GIT_PYTHON_GIT_EXECUTABLE, "cat-file", "--batch-check"],
            input=self._prepare_ref(ref),
            cwd=self._working_dir,
            timeout=2,
        )
ret = subprocess.check_output(
            [self.GIT_PYTHON_GIT_EXECUTABLE, "cat-file", "--batch"],
            input=self._prepare_ref(ref),
            cwd=self._working_dir,
            timeout=30,
        )
return subprocess.check_output([git, "-C", script_path, "rev-parse", "HEAD"], shell=False, encoding='utf8').strip()
return subprocess.check_output([git, "-C", script_path, "describe", "--tags"], shell=False, encoding='utf8').strip()
result = subprocess.run(**run_kwargs)
result = subprocess.run([python, "-c", code], capture_output=True, shell=False)
output = subprocess.check_output([git, '-C', subdir, 'pull', '--autostash'])
return subprocess.check_output([sys.executable, '-m', 'pip', 'freeze', '--all']).decode("utf8").splitlines()
return subprocess.check_output([launch_utils.git, '-C', path, *args], shell=False, encoding='utf8').strip()
subprocess.Popen(["open", path])
subprocess.Popen(["explorer.exe", subprocess.check_output(["wslpath", "-w", path])])
subprocess.Popen(["xdg-open", path])

Why it matters: Powerful and often legitimate — confirm the commands aren't built from untrusted input.

Fix: Confirm the command and its arguments are fully controlled and not derived from untrusted input; avoid shell=True.

MEDIUMServer bound to all network interfacesST-EXPOSE-BIND

A server is bound to all network interfaces (0.0.0.0), not just your own machine.

return "0.0.0.0" if cmd_opts.listen else None

Why it matters: Without authentication, other hosts on the network can reach it.

Fix: Bind to 127.0.0.1 for local-only use, or require authentication and restrict access if remote exposure is intended.

MEDIUMPython filesystem readST-FS-PY-READ

The component reads files from disk.

with open(cache_filename, "r", encoding="utf8") as file:
with open(path, "r", encoding="utf-8") as f:
with open(metadata_filename, "r", encoding="utf8") as file:
with open(filename, "rb") as f:
with open(filename, "rb") as file:
with open(filename, "r", encoding="utf8") as file:
with open(config_state_file, "r", encoding="utf-8") as f:
with open(cmd_opts.gradio_auth_path, 'r', encoding="utf8") as file:
with open(filename, "r", encoding="utf8") as file:
with open(changelog_md, "r", encoding="utf-8") as file:
with open(settings_file, "r", encoding="utf8") as file:
with open(requirements_file, "r", encoding="utf8") as file:
with open(fn, "r", encoding="utf8") as file:
with open(filename, "r", encoding="utf8") as file:
with open(caption_filename, encoding="utf8") as file:
with open(filename, "rb") as file:
with open(filename, "rb") as file:
with open(filename, mode="rb") as file:
pl_sd = safetensors.torch.load(open(checkpoint_file, 'rb').read())
with open(path, "r", encoding="utf-8-sig", newline="") as file:
with open(shared_cmd_options.cmd_opts.ui_settings_file, 'r') as f:
with open(template_file, "r") as file:
with open(text_filename, "r", encoding="utf8") as file:
with open(logfile_path, "r", encoding="utf8", newline="") as file:
with open(fullfns[i], mode="rb") as f:

Why it matters: Usually legitimate, but worth confirming it can't be steered into reading sensitive files.

Fix: Confirm which files are read and that paths cannot be influenced by untrusted input to reach sensitive locations.

MEDIUMPython filesystem write/deleteST-FS-PY-WRITE

The component writes or deletes files on disk.

shutil.copyfile(cfg, checkpoint_filename)
with open(txt_fullfn, "w", encoding="utf8") as file:
shutil.rmtree(dir, ignore_errors=True)
os.remove(os.path.join(script_path, "tmp", "restart"))
with open(filename, "w", encoding="utf8") as file:
with open(filename, "w", encoding="utf8") as file:
with open(caption_filename, "w", encoding="utf8") as file:
with open(os.path.join(paths.data_path, "params.txt"), "w", encoding="utf8") as file:
shutil.copy(style_path, f"{style_path}.bak")
with open(style_path, "w", encoding="utf-8-sig", newline="") as file:
with open(model_file_path, "wb") as f:
with open(os.path.join(log_directory, filename), "w") as file:
with open(os.path.join(log_directory, filename), "a+", newline='') as fout:
print(interrogation_function(img), file=open(os.path.join(ii_output_dir, f"{left}.txt"), 'a', encoding='utf-8'))
with open(logfile_path, "w", encoding="utf8", newline="") as file:
with (open(logfile_path, "a", encoding="utf8", newline='') if shared.opts.save_write_log_csv else nullcontext()) as file:
with open(filename, "w", encoding="utf-8") as f:
shutil.rmtree(tmpdir, True)
shutil.move(tmpdir, target_dir)
shutil.rmtree(tmpdir, True)
with open(metadata_path, "w", encoding="utf8") as file:
with open(self.filename, "w", encoding="utf8") as file:

Why it matters: Usually legitimate, but worth confirming the paths can't be controlled by untrusted input.

Fix: Confirm which files are written/deleted and that paths cannot be influenced by untrusted input.

MEDIUMNode.js network egressST-NET-NODE

The component makes outbound network requests.

const request = await fetch(url);

Why it matters: Usually legitimate, but confirm the destinations are expected and no sensitive data leaves.

Fix: Confirm the destination hosts are expected and that no sensitive data is sent off-host.

MEDIUMPython network egressST-NET-PY

The component makes outbound network requests.

from urllib.parse import urlparse
parsed_url = urlparse(url)
response = requests.get(encoding, timeout=30, headers=headers)
commits = requests.get('https://api.github.com/repos/AUTOMATIC1111/stable-diffusion-webui/branches/master').json()
from urllib.parse import urlparse
file = urlparse(file).path
from urllib import request
request.urlretrieve(midas_urls[model_type], path)
response = requests.get(model_url)
with urllib.request.urlopen(url) as response:
quoted_filename = urllib.parse.quote(filename.replace('\\', '/'))

Why it matters: Usually legitimate, but confirm the destinations are expected and no sensitive data leaves.

Fix: Confirm the destination hosts are expected and that no sensitive data is sent off-host.

Check your own component

Run the same evidence-backed scan on any MCP server, agent skill, or package.

Scan your own component

Or get notified if this component's risk changes:

How we determine this: deterministic static analysis (regex + AST), evidence-anchored, no code execution. Methodology →