ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ComfyUI图像生成

v1.0.0

提供基于 ComfyUI 的图像生成,强制使用正确提示词字段,避免重复生成,具备工作流与错误检查机制。

0· 26·0 current·0 all-time
by@admirobot
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the code and instructions: the skill edits ComfyUI workflow JSON, posts it to a ComfyUI server, waits for completion, and downloads/saves generated images. No unrelated credentials, binaries, or external services are requested.
Instruction Scope
SKILL.md and code stay within the generation domain: they load workflow JSONs from paths you supply (or the default), modify CLIPTextEncode nodes (using 'text'), POST the workflow to /prompt, poll /history/<id>, and fetch outputs via /view. Important to note: the full workflow JSON and prompt text are transmitted to the configured COMFYUI server (default is http://192.168.18.15:8188). If that server is remote or untrusted, prompts and any sensitive data embedded in workflows could be exposed.
Install Mechanism
No install specification; this is instruction-and-code-only. No downloads, package installs, or archive extraction are performed by the skill itself.
Credentials
The skill does not require declared environment variables or credentials. It will read COMFYUI_SERVER from the environment if present and otherwise uses a hard-coded default (an internal IP). It reads and writes files under configurable (but by-default host-mounted) paths (/mnt/share2win, /tmp, etc.). These file and server defaults are plausible for the stated purpose but warrant user attention: ensure COMFYUI_SERVER points to a trusted server and that workflows do not contain sensitive data.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It creates output directories/files under user-specified paths (normal for a generator). It does not modify other skills or global agent configuration.
Assessment
This skill appears to do what it says: edit ComfyUI workflows, submit them to a ComfyUI server, wait, and download images. Before using it: - Verify COMFYUI_SERVER is set to a ComfyUI instance you trust (the default is an internal IP); otherwise prompts and workflow JSONs can be transmitted to that server. - Review any workflow JSON files you point it at (they will be read and may include metadata or secrets). Avoid pointing it at system-wide config paths unless intended. - Use controlled output paths to avoid overwriting important files; the skill will create directories and write files with the specified names. - If you plan to run this in a multi-tenant or cloud environment, verify network access rules so the skill cannot talk to untrusted external endpoints. If you want a higher assurance review, provide the COMFYUI server address you plan to use and example workflow JSONs so I can check for sensitive fields that would be transmitted.

Like a lobster shell, security has layers — review code before you run it.

latestvk974yzsx8a0660p597w89a9he58450e3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments