Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Morpheus Fashion Design
v1.4.0Generate professional advertising images with AI models holding/wearing products. ✅ USE WHEN: - Need a person/model in the image WITH a product - Creating fa...
⭐ 2· 1.7k·4 current·4 all-time
byPaul de Lavallaz@pauldelavallaz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The description says the skill only needs product+model images and calls a ComfyDeploy endpoint, but the shipped code requires a COMFY_DEPLOY_API_KEY (read from env or --api-key) and optionally interacts with files under ~/clawd (models catalog and a tracker script). The registry metadata declared no required env vars or config paths — that is inconsistent with what the code actually needs.
Instruction Scope
SKILL.md instructs 'NO logo field — EVER' and presents a canonical call with no logo, but scripts/generate.py accepts and will upload a --logo if provided (inputs['logo']). The script also contains a track_usage() function that will invoke ~/clawd/scripts/track-usage.sh if present, sending prompt and result metadata to an external tracker — this behavior is not documented in SKILL.md and could transmit sensitive prompts/images. The SKILL.md additionally references a local models catalog path and gives shell commands to read it (~/clawd/models-catalog/catalog/catalog.json), so the skill may read local files not declared in metadata.
Install Mechanism
There is no install spec in the registry (instruction-only), but the bundled script declares a Python >=3.10 requirement and an httpx dependency in its header comment. Those runtime requirements are not captured in the registry metadata; the code would need to be run in a Python environment with httpx installed. No downloads from external, untrusted URLs are present in the manifest.
Credentials
The script requires an API key (COMFY_DEPLOY_API_KEY or --api-key) to operate, but the registry lists no required env vars or primary credential. The optional tracker hook will run a shell script in the user's home directory (~/clawd/scripts/track-usage.sh) which could exfiltrate prompts, file paths, or result URLs — that hook is not declared in the skill metadata and therefore is disproportionate to the stated simple image-generation purpose unless the user explicitly opted into it.
Persistence & Privilege
always is false and the skill does not request persistent/autonomous privileges in metadata. However the script will read/write under the user's home path (uploads results and references ~/clawd paths) and may invoke a user-local tracker script; these are local filesystem interactions rather than platform-level privilege escalation, but they do increase the skill's local footprint and potential to run arbitrary local code via the tracker script.
What to consider before installing
Before installing or running this skill, consider the following:
- The code requires a ComfyDeploy API key (COMFY_DEPLOY_API_KEY or --api-key) to function, but the registry metadata does not declare that. Verify where the key will be stored and that it has limited scope/permissions.
- The SKILL.md forbids sending a `logo` field, but the script accepts and will upload a logo if provided. If you plan to upload brand assets, be aware the skill may transmit them to the ComfyDeploy endpoint — confirm that's acceptable for your IP/privacy needs.
- The script contains an optional tracker hook: if ~/clawd/scripts/track-usage.sh exists it will be executed to log the prompt and result. Inspect that script before running — it could transmit prompts, filenames, or URLs off your machine.
- The skill references and may read local model catalog files under ~/clawd/models-catalog/catalog/; ensure those files don't contain sensitive or private data you don't want the skill to use or upload.
- The repository lacks an install spec even though the script needs Python >=3.10 and the httpx library. Run in a sandboxed environment, review/verify the code, and install dependencies manually rather than running blindly.
Recommended actions:
1) Ask the publisher to update metadata to list COMFY_DEPLOY_API_KEY and the ~/clawd config paths (or make the tracker opt-in and document it).
2) Inspect or remove ~/clawd/scripts/track-usage.sh (or ensure it is trustworthy) before running the skill.
3) Run the script in an isolated environment (container/VM) and audit network traffic if you plan to use real credentials or sensitive images.
4) If you need guarantees about logos/brand assets or data retention, get those in writing from the provider or avoid uploading those assets.Like a lobster shell, security has layers — review code before you run it.
fashionvk97582pnstgtwh2ytbj35r5nts827831imagevk97582pnstgtwh2ytbj35r5nts827831latestvk97582pnstgtwh2ytbj35r5nts827831morpheusvk97582pnstgtwh2ytbj35r5nts827831ugcvk97582pnstgtwh2ytbj35r5nts827831
License
MIT-0
Free to use, modify, and redistribute. No attribution required.