๐ฃ๏ธ AI Avatar & Talking Head Video โ Pro Pack on RunComfy
PassAudited by ClawScan on May 13, 2026.
Overview
This is a coherent RunComfy video-generation skill, with expected caveats around installing the RunComfy CLI, using a RunComfy token, and sending media to RunComfy.
Before installing, verify the RunComfy CLI source, use a limited RunComfy token, review each command and output directory, and only process portraits, voices, or reference media that you have permission to use.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or running the CLI gives the package local code execution privileges.
The skill relies on installing or invoking an external npm CLI package. That is central to the stated RunComfy purpose, but it is still third-party code execution on the user's machine.
npm i -g @runcomfy/cli # or: npx -y @runcomfy/cli --version
Install the CLI only from RunComfy's official documentation or verified npm package page, and review commands before running them.
Commands may use the user's RunComfy account, token, quota, or billing context.
The skill requires a RunComfy login or token to create jobs. This is expected for the provider integration, but it gives the CLI access to the user's RunComfy account.
runcomfy login # or in CI: export RUNCOMFY_TOKEN=<token>
Use a token with the minimum needed access, keep it out of chat/logs, and confirm generation commands before spending provider credits.
Portraits, voices, reference media, and generated outputs may be processed by RunComfy or accessible wherever the provided URLs are hosted.
The examples send portrait and audio URLs to RunComfy model endpoints. This is the expected data flow for avatar generation, but those files can contain sensitive likeness or voice information.
"image_url": "https://your-cdn.example/presenter.jpg", "audio_url": "https://your-cdn.example/voiceover.mp3"
Use only media you have rights and consent to process, avoid public or long-lived URLs for private files, and check RunComfy's data-handling terms.