Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Axelhu Local Sdxl
v1.0.1基于本地 ComfyUI 与 SDXL,实现高质量私密图像生成,支持详细构图、风格及尺寸自定义,适合无在线API场景。
⭐ 0· 32·0 current·0 all-time
by@axelhu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description (local ComfyUI + SDXL) aligns with the included scripts and REST examples. However the SKILL.md claims the script will "通过飞书发送图片消息给用户" (send results via Feishu), but no code implements Feishu or any external messaging — a discrepancy between claimed capabilities and actual implementation. The script also hardcodes paths and filenames under /home/axelhu which is specific to the author's environment and may not work for other users.
Instruction Scope
Runtime instructions are focused on running the local script or calling ComfyUI's REST API on localhost:8188, which is appropriate. The script only talks to localhost and the ComfyUI API and reads local output directories. It does, however, read a hardcoded output directory (/home/axelhu/ComfyUI/output/) rather than using a configurable path in several places, which is scope-coupled to the author's environment and could cause unexpected file reads on install.
Install Mechanism
There is no install spec (instruction-only skill) and the files are small scripts and docs. No download-from-URL or package installation is defined by the skill itself. The deployment notes correctly describe a large local model requirement (sdxl-base-1.0.safetensors ~6.5GB), which is expected for the stated purpose.
Credentials
The skill requests no environment variables or credentials, which is proportionate — except SKILL.md claims automatic sending via Feishu (which would normally require credentials). That capability is asserted but not implemented in the code and yet no env vars/credentials are requested. The hardcoded filesystem paths (/home/axelhu/...) are a privacy/permission concern because the script enumerates and copies files from that directory.
Persistence & Privilege
Skill does not ask for persistent privileges; always=false and no modifications to other skills or system-wide settings. The script runs only on-demand and only communicates with localhost:8188 (ComfyUI) — no autonomous remote callbacks are present.
What to consider before installing
This skill appears to be a local ComfyUI SDXL helper and mostly does what it says, but there are a few things to check before installing or running it: 1) The SKILL.md mentions automatically sending results via Feishu, but neither script contains any Feishu or external messaging code — expect to handle delivery yourself or add secure messaging code (and then securely store credentials). 2) The Python script uses hardcoded paths (/home/axelhu/ComfyUI/output/) and will fail or read unexpected files on other systems — update the script to use configurable output directories before running. 3) Ensure ComfyUI is only listening on localhost (127.0.0.1) as recommended to avoid remote access, and confirm model files are present locally (large download). 4) Review and run the scripts as a non-root user, and inspect the code (simple HTTP calls to localhost and local filesystem operations) to satisfy yourself there is no data exfiltration. If you need the Feishu/send behavior, require that the skill request explicit credentials and implement them transparently rather than claiming the capability without code.Like a lobster shell, security has layers — review code before you run it.
latestvk97aq7g87b8753jtv0axp3w8wn842wh2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.