v1.0.0

ComfyUI Video

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:23 AM.

Analysis

The skill appears coherent for automating ComfyUI video workflows, but users should be aware it involves running browser JavaScript and SSH commands against their own ComfyUI machine.

GuidanceThis skill looks purpose-aligned and does not show malicious behavior. Before using it, make sure you trust your ComfyUI installation and workflow files, review the included JavaScript, run it only in the correct browser session, and prefer a non-root SSH account for monitoring and tunneling.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution

SeverityLowConfidenceHighStatusNote

scripts/batch_scenes.js

在浏览器控制台或 JS evaluate 中运行 ... window.app.loadGraphData(wf);

The helper is intentionally run inside the ComfyUI browser page and loads/modifies the current workflow graph. This is expected for the skill, but it is still browser-side code execution.

User impactRunning the script can change the active ComfyUI workflow, prompts, frame counts, image input, and output filename prefixes.

RecommendationReview the script first and run it only in the intended ComfyUI tab/session.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

metadata

Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.

The package does not provide source provenance or an installation mechanism for the required ComfyUI/model environment. This is not suspicious by itself, but users must validate the surrounding setup.

User impactThe safety and correctness of the actual ComfyUI installation, custom nodes, workflow file, and model files are outside this skill’s package.

RecommendationInstall ComfyUI, custom nodes, workflows, and models only from trusted sources and verify their paths and versions before use.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

ssh -p PORT root@HOST "grep 'it/s' /tmp/comfy.log | tail -1"

The monitoring examples use SSH to a remote host as root. The shown commands are limited to log/output inspection, but root SSH is broad authority.

User impactIf copied directly, these commands require highly privileged access to the ComfyUI host.

RecommendationUse a least-privileged SSH account where possible and verify HOST, PORT, and commands before running them.