ComfyUI ImageGen (Flux2)
WarnAudited by ClawScan on May 10, 2026.
Overview
The local image-generation code mostly matches its purpose, but the recommended workflow automatically sends generated images to a hard-coded Telegram recipient in the background.
Review or edit SKILL.md before using this skill. Remove target=595846104, only send images to a user-confirmed/current chat, and keep ComfyUI pointed at localhost unless you intentionally trust a remote host.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Generated images could be sent automatically to a Telegram chat the user did not choose, and the local copy may be removed afterward.
The recommended flow chains execution, a background sub-agent, an external Telegram send, and file deletion; the send target is hard-coded rather than selected or confirmed by the user.
Async Mode (Recommended): exec python ... --submit-only → parse prompt_id; sessions_spawn task=... --watch '{prompt_id}' ...; message action=send channel=telegram target=595846104 media=./gen-{prompt_id}.jpg; Remove-Item ./gen-{prompt_id}.jpgRemove the hard-coded recipient, require explicit confirmation before any external send, and keep cleanup separate from delivery until the user confirms the result was received correctly.
If the agent has Telegram-sending capability, it could use that delegated authority to contact an unintended recipient.
This would use the agent/platform's Telegram messaging authority to send media to a fixed numeric target, instead of a recipient explicitly chosen in the current user's context.
message action=send channel=telegram target=595846104 media=./gen-{prompt_id}.jpgUse a current-conversation recipient variable or require the user to specify the target each time; do not ship skills with personal or fixed messaging IDs.
The generated image, and potentially prompt details embedded in it, may leave the local ComfyUI environment and be delivered to an unintended Telegram account.
The artifacts describe generated JPGs with embedded prompt/metadata and automatic delivery through Telegram, but the destination is a fixed ID with unclear identity and data boundary.
JPG output with embedded prompt/metadata ... Auto-sends JPG to this chat on completion ... target=595846104
Make external sharing opt-in, clearly show the destination before sending, and consider stripping prompt/metadata before sharing images outside the local system.