Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
ComfyUI ImageGen (Flux2)
v1.5.0Generate images via ComfyUI API (localhost:8188) using Flux2 workflow. Supports structured JSON prompts sent directly as positive prompt parameter, seed/steps customization. Async watcher via sub-agent for low-latency, token-efficient polling (every 5s).
⭐ 0· 1.3k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the included script and workflow: the Python script posts a Flux2 workflow JSON to a ComfyUI host, polls history, and downloads the saved JPG. There are no unexpected required env vars, binaries, or installers that would be unrelated to image generation.
Instruction Scope
SKILL.md stays largely within image-generation scope, but the examples include orchestration steps (sessions_spawn) that automatically send images via the agent's message tool (Telegram) and use a hardcoded example workspace path (C:\Users\hal\.openclaw\workspace). Those orchestration instructions reach into the agent's messaging/channel capabilities and the local filesystem; they are plausible but are external to core generation and deserve operator awareness.
Install Mechanism
No install spec is provided (instruction-only with a small included script), so nothing is downloaded or executed at install time. This minimizes supply-chain risk.
Credentials
The skill declares no environment variables or credentials, which matches its behavior (it talks to a ComfyUI HTTP host). However SKILL.md demonstrates auto-sending images to Telegram via the agent's message tool but does not declare Telegram credentials — this relies on the agent/runtime having messaging credentials configured. The example also references a user-specific workspace path; if followed, that grants the skill read/write in that folder.
Persistence & Privilege
The skill does not request permanent/always-on inclusion (always:false) and does not modify other skills or global agent settings. It uses a spawned watcher sub-agent in examples, which is normal for async jobs but not a privileged persistent presence.
Assessment
This skill appears to do what it says: submit a Flux2 workflow to a ComfyUI HTTP server (default localhost:8188), poll for completion, and download the saved image. Before installing/using: 1) ensure you trust the ComfyUI host you point it at (default is localhost; if you change --host to a remote server, your structured prompts and any metadata will be sent to that server), 2) be aware the SKILL.md examples auto-send images via the agent's message tool (Telegram) — confirm the agent's messaging channels/targets are ones you trust, 3) the example uses a user-specific workspace path for spawned jobs; modify that to a safe directory on your system if you run the watcher, and 4) the script writes downloaded images to disk and removes them in the example — check file paths and permissions you grant the agent. If you need stricter guarantees, run ComfyUI locally and avoid using the example sessions_spawn Telegram send until you verify messaging credentials and targets.Like a lobster shell, security has layers — review code before you run it.
latestvk978b4w17mqynppzbrqwryh1hd810vzb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.