v1.0.2

我的大明朝廷

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:12 AM.

Analysis

The skill appears purpose-aligned for task orchestration and ComfyUI generation, but it needs review because external command and external agent communication boundaries are under-specified.

GuidanceReview this skill before installing. Confirm exactly how WeChat commands are authenticated and approved, secure the ComfyUI endpoint, and set log/archive retention and filesystem permissions appropriate for your prompts and generated media.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

requirements.txt

requests>=2.31.0\npython-dotenv>=1.0.0

The documented install path uses Python packages with lower-bound versions rather than fully pinned versions, which is a normal but less reproducible install pattern.

User impactA future dependency version could behave differently from the version the author tested.

RecommendationInstall in a virtual environment and prefer pinned, reviewed dependency versions for production use.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceMediumStatusConcern

metadata

Description: 自动接收微信指令，校验意图并审核政令，调度执行文生图视频任务 ... Required env vars: none ... Primary credential: none ... Required config paths: none

The skill claims to accept commands from WeChat and dispatch generation tasks, but the provided credential/config contract does not declare how that external command source is authenticated, scoped, or configured.

User impactIf installed without additional controls, the user may not know what WeChat identity or channel is allowed to trigger jobs and consume resources.

RecommendationBefore installing, require clear documentation and configuration for WeChat credentials, allowed senders/channels, rate limits, and whether a human must approve dispatches.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

config/external_agents.yaml

base_url: "http://{{COMFYUI_SERVER_IP}}:{{COMFYUI_SERVER_PORT}}" ... verify_ssl: false ... authentication:\n      enabled: false ... access_control:\n    enabled: false

The ComfyUI integration is disclosed and purpose-aligned, but it defaults to an unauthenticated HTTP connection to an external generation service.

User impactPrompts, uploaded images, and generation jobs may be exposed to or accepted by the configured ComfyUI service without strong identity checks.

RecommendationUse a trusted endpoint, restrict network access, enable authentication where possible, and avoid sending sensitive prompts or images to an unsecured ComfyUI server.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

config/audit.yaml

project_archives: "forever" ... audit_reports: "365d" ... detailed_logs: "90d" ... summary_logs: "365d"

The skill intentionally keeps archives and logs for auditing; these records can include task instructions, prompts, and execution history.

User impactUser requests and operational history may remain on disk for long periods unless retention and access permissions are changed.

RecommendationConfigure retention, log locations, and filesystem permissions before use, especially if prompts or generated assets may be sensitive.