Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ad-Ready Pro
v1.0.0Generate professional advertising images from product URLs using the Ad-Ready pipeline on ComfyDeploy. Use when the user wants to create ads for any product by providing a URL, optionally with a brand profile (70+ brands) and funnel stage targeting. Supports model/talent integration, brand-aware creative direction, and multi-format output. Differs from Morpheus (manual fashion photography) — Ad-Ready is URL-driven, brand-intelligent, and funnel-stage aware.
⭐ 0· 1.6k·0 current·0 all-time
byPaul de Lavallaz@pauldelavallaz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (generate ads via ComfyDeploy) aligns with the included script and SKILL.md. However the package metadata declares no required env vars or config paths while both the instructions and generate.py clearly rely on a COMFY_DEPLOY_API_KEY and on a local brand catalog at ~/clawd/ad-ready/configs/Brands. That mismatch is an incoherence: the skill will need credentials and access to the user's home config area but the metadata doesn't advertise that.
Instruction Scope
SKILL.md instructs the agent to fetch product pages, scrape and download product images and brand logos, search the web for reference images, save files in /tmp, and then upload images/inputs to an external API (ComfyDeploy). These actions go beyond pure 'image generation' surface — they involve arbitrary network fetches and uploading potentially proprietary images to a third-party endpoint. The instructions also explicitly tell the agent to run other skills (brand-analyzer) and to search the web for logos, which increases the scope of what will be accessed and transmitted.
Install Mechanism
This is an instruction-only skill with a bundled Python script; there is no install spec. The script lists dependencies (httpx, beautifulsoup4) in comments but doesn't declare installation steps. Lack of an install spec is low risk by itself but means runtime failures or unexpected ad-hoc installation attempts could occur.
Credentials
Metadata declares no required environment variables, but SKILL.md and the script both require COMFY_DEPLOY_API_KEY (used as a Bearer token for uploading files and queuing runs). The script also reads the user's home directory for brand profiles (BRANDS_DIR). There is a hard-coded third-party logo service URL including an embedded token (img.logo.dev?token=pk_X-1ZO13GSgeOoUrIuJ6GMQ) which may be unnecessary or unexpected. These environment and credential uses are not documented in the metadata and therefore not proportionate.
Persistence & Privilege
The skill does not request always:true and does not declare modifications to other skills or system-wide settings. Autonomous invocation is allowed (default), which is normal — but combined with the other concerns (automatic fetching and uploading) it increases the potential blast radius.
What to consider before installing
Before installing, note these specific concerns: (1) The script requires a COMFY_DEPLOY_API_KEY (Bearer token) but the skill metadata does not list it — you will need to provide that credential; only supply it if you trust the ComfyDeploy endpoint and this skill's author. (2) The skill will read ~/clawd/ad-ready/configs/Brands to find brand profiles and may prompt you to run a brand-analyzer skill; review any local brand files the skill will access. (3) In auto-fetch mode the agent will scrape product pages and search/download logos and reference images from the web, then upload images and inputs to api.comfydeploy.com — do not use auto-fetch with proprietary or sensitive product pages you do not want sent to a third party. (4) The script contains a hard-coded logo service URL with an embedded token — that is unexpected and should be reviewed. (5) There's no install spec for dependencies; run in a controlled/test environment first and inspect network traffic or run offline if you need to verify behavior. If you still want to use it, request the skill author/source/homepage, confirm the COMFY_DEPLOY_API_KEY handling, and consider running it with a limited/test API key and on non-sensitive assets.Like a lobster shell, security has layers — review code before you run it.
latestvk97cx9szh1be97jqxw4r90tf4s80j869
License
MIT-0
Free to use, modify, and redistribute. No attribution required.