Back to skill
Skillv1.0.0
ClawScan security
On This Day Art · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 10, 2026, 1:19 PM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's files and instructions match its stated purpose (local daily image generation via ComfyUI with a WSL→Windows bridge), but there are some practical issues you should review (hard-coded IPs/paths and unclear Discord credential handling) before installing.
- Guidance
- This skill appears to do what it says (local ComfyUI image generation from Wikipedia events), but review and adjust a few things before installing: 1) Check the full on-this-day.sh for any automated Discord posting—find where it would read a bot token or channel ID and ensure no secret is hard-coded or sent to third parties. 2) Replace or parameterize hard-coded defaults (COMFY_HOST=192.168.4.95, COMFY_DIR, /home/tony paths, default Discord channel ID) so they match your machine and don't accidentally point to someone else's host/channel. 3) Run the scripts manually in a test run (./scripts/on-this-day/on-this-day.sh test and generate commands) to observe behavior before scheduling the cron job. 4) Ensure your Windows firewall and ComfyUI are configured to keep the ComfyUI API local and authenticated if you ever expose it. If you want a higher assurance, paste the remainder of on-this-day.sh (the truncated portion) so I can confirm there is no hidden network upload or credential exfiltration logic.
Review Dimensions
- Purpose & Capability
- okThe name/description (daily images from Wikipedia 'On This Day' using local ComfyUI) aligns with the included scripts and docs: scripts call ComfyUI's local HTTP API, fetch Wikipedia events, construct prompts, queue jobs, and write images to local output paths. Nothing requested (no env vars, no external cloud API keys) is disproportionate to that purpose.
- Instruction Scope
- noteRuntime instructions and scripts operate locally (Wikipedia REST API + local ComfyUI HTTP endpoint). The README and SKILL.md describe automatic posting to Discord, but the provided scripts shown do not declare or clearly read a Discord bot token or other credentials; the docs say 'use Discord API or message tool' which suggests posting may be left to user configuration. Verify the remainder of on-this-day.sh (truncated in provided contents) to confirm whether any automated Discord posting or other outbound endpoints are implemented and where credentials are read from.
- Install Mechanism
- okNo install spec; this is instruction + shell scripts only. Nothing is downloaded or executed from remote URLs by the skill itself—users are instructed to install StabilityMatrix/ComfyUI separately. That lowers installation risk.
- Credentials
- noteThe skill declares no required environment variables, but the scripts include hard-coded defaults (COMFY_HOST=192.168.4.95, COMFY_DIR and Windows C: paths, and user-specific paths like /home/tony). The README also lists a default Discord channel ID and instructs creating a bot/token but doesn't declare any required env var for the token. Before use, you should confirm where any Discord token or other credentials must be stored and ensure they aren't read from unexpected locations.
- Persistence & Privilege
- okThe skill does not request always:true and contains no install-time persistence. It writes logs/memory to ~/.openclaw/workspace and outputs to configured Windows output directories—normal for a workflow. It doesn't attempt to modify other skills or system-wide configs.