TL;DR: ComfyUI saves prompts, workflow state, file paths, and sometimes live API keys into PNG metadata by default, and TruffleHog found 159,752 metadata-bearing images across ten Discord servers, including 681 with verified live keys. That makes casual image sharing a governance problem, not just a content-handling issue.
NHIMG editorial — based on content published by TruffleHog: API Keys Leaking in PNG Metadata of AI Images
By the numbers:
- We pulled 2.49 million image attachments from ten of the most popular AI image-generation Discord communities.
Questions worth separating out
Q: How should security teams handle secrets embedded in AI-generated images?
A: Treat AI-generated images as sensitive artefacts until proven clean.
Q: Why do AI image workflows create NHI risk outside code repositories?
A: Because the workflow can serialize credentials, prompts, and environment details into the artefact itself.
Q: What do teams get wrong about bypassing nodes with secrets?
A: They assume a bypassed node is effectively absent.
Practitioner guidance
- Scan generated media before sharing Add secret detection to AI output review flows so PNGs, images, and other exported artefacts are checked for embedded metadata, API keys, and private paths before publication or handoff.
- Disable or strip metadata at the export boundary Where the platform allows it, remove metadata during export and re-encode images before they leave controlled environments.
- Replace plain-text secret fields in custom nodes Require plugin developers to stop using generic text widgets for credentials and move integrations that handle API keys behind managed secret stores or non-exported configuration patterns.
What's in the full article
TruffleHog's full post covers the operational detail this post intentionally leaves for the source:
- The exact extraction method used to decode PNG metadata from large Discord image sets.
- Examples of live secrets, local endpoints, and filesystem paths recovered from ComfyUI output files.
- The command-line validation workflow used to confirm whether embedded keys were still live.
- Practical cleanup guidance for re-encoding images and checking whether metadata has been removed.
👉 Read TruffleHog's analysis of API keys leaking in ComfyUI PNG metadata →
ComfyUI PNG metadata leaks: what security teams need to know?
Explore further
ComfyUI PNG metadata leakage is really a secret persistence problem, not a file-format curiosity. The failure is that generated artefacts preserve workflow state by design, so sensitive values follow the image outside the control plane where they were created. That means the identity boundary moves from the application session to the shared file, and traditional secrets hygiene no longer sees the whole exposure surface. Practitioners should treat exported media as part of the credential lifecycle.
A few things that frame the scale:
- 28% of secrets incidents now originate outside code repositories, in Slack, Jira, and Confluence, and are 13% more likely to be categorised as critical than code-based leaks, according to Guide to the Secret Sprawl Challenge.
- Our research also found that 64% of valid secrets leaked in 2022 are still valid and exploitable today, which is why detection without revocation leaves material exposure behind.
A question worth separating out:
Q: How can organisations reduce risk from community-built AI plugins?
A: Set governance rules for third-party nodes that can accept credentials, especially those used for image generation, LLM calls, or local model endpoints. Require a review of how the plugin stores secrets, whether it serializes state into outputs, and whether its data handling meets your NHI policy before approval.
👉 Read our full editorial: ComfyUI PNG metadata turns image sharing into secret exposure