ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ComfyUI Skill

v1.0.0

Generate high-quality images using a local ComfyUI instance. Use when the user wants private, powerful image generation via their own hardware and custom wor...

3· 808·2 current·2 all-time
by@dihan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name/description (local ComfyUI image generation) matches the included Python script and example workflows. The only required environment variable (COMFYUI_SERVER_ADDRESS) and the workflow files are appropriate for the stated purpose.
Instruction Scope
The SKILL.md stays within the stated purpose (connect to a ComfyUI server, post workflows, download images). Small inconsistencies: SKILL.md emphasizes setting COMFYUI_SERVER_ADDRESS as an env var, but the script requires the server address as a positional argument (the SKILL.md examples use the env var as an argument, so this is workable). The documentation mentions an 'Auto-Backup' sync feature but no code implements syncing beyond saving to image-gens/.
Install Mechanism
Instruction-only with bundled scripts and workflows; there is no install spec or external downloads. Nothing is written to disk by an installer step prior to use beyond the script saving generated images at runtime.
Credentials
Only COMFYUI_SERVER_ADDRESS is required, which is proportional to a local-server integration. No unrelated credentials, secrets, or config paths are requested.
Persistence & Privilege
The skill does not request permanent/always-on inclusion and does not modify other skills or system configurations. It only writes generated images to an image-gens/ folder in its working directory.
Assessment
This skill appears to do what it says: it posts a workflow JSON to a ComfyUI server and downloads the resulting image to image-gens/. Before installing, ensure the COMFYUI_SERVER_ADDRESS points to a trusted, local ComfyUI instance (do not point it at an untrusted remote host). The script trusts the ComfyUI server's response for filenames and will write image files under image-gens/ without sanitizing filename strings — a malicious or remote server could cause unexpected file writes (path traversal or overwriting) or serve unwanted content. If you will use non-local servers, review or harden the script (sanitize filenames, validate server host, restrict target directory). Also review included workflow JSONs for prompts or model names you may not want; the workflows contain explicit prompts/negative prompts and model file references. Finally, confirm 'Enable Dev mode' in ComfyUI only when you trust the host and network.

Like a lobster shell, security has layers — review code before you run it.

comfyuivk97b7fjcysh1ccsdzzkax00ygs81n55himage-generationvk97b7fjcysh1ccsdzzkax00ygs81n55hlatestvk97b7fjcysh1ccsdzzkax00ygs81n55hlocalvk97b7fjcysh1ccsdzzkax00ygs81n55h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎨 Clawdis
EnvCOMFYUI_SERVER_ADDRESS

Comments