π¬ AI Video Generation β Pro Pack on RunComfy
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: ai-video-generation-runcomfy Version: 0.1.0 The skill is a well-documented integration for the RunComfy AI video generation service. It provides structured instructions for an AI agent to route user requests to various video models using the 'runcomfy' CLI. The documentation includes explicit security considerations, such as protecting API tokens, avoiding shell injection by using JSON inputs, and warning against executing untrusted remote scripts. No indicators of data exfiltration, malicious execution, or harmful prompt injection were found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the CLI gives third-party package code local execution capability, which is expected but should come from the official source.
The skill relies on installing or running an external npm CLI package. This is purpose-aligned, but the package is not bundled or pinned by the skill artifact.
npm i -g @runcomfy/cli # or: npx -y @runcomfy/cli --version
Install the RunComfy CLI only from official RunComfy documentation or a trusted npm source, and avoid running unexpected package versions.
The skill can use the configured RunComfy account/token to submit video-generation jobs, which may consume credits or access account resources.
The skill needs a RunComfy credential/configuration to call the service. That is expected for video generation, but it is still delegated account access.
Required env vars: RUNCOMFY_TOKEN; Required config paths: ~/.config/runcomfy
Use a dedicated or scoped token if RunComfy supports it, protect the token from logs or shared chats, and monitor account usage.
The agent may choose and run a RunComfy model endpoint for a userβs video request, producing files in the chosen output directory and potentially incurring service usage.
The skill documents local CLI execution against selectable RunComfy model endpoints. This is the core function and appears scoped to video generation.
runcomfy run <vendor>/<model>/<endpoint> \
--input '{"prompt": "..."}' \
--output-dir ./outReview the selected model, prompt/assets, output directory, and expected cost before running expensive or sensitive jobs.
Prompts and any supplied image, video, or audio references may be processed by RunComfy or its model providers.
The skill supports provider-side generation using supplied media references. This is disclosed and purpose-aligned, but users should treat those inputs as data sent to an external service.
multi-modal (up to 9 reference images, 3 reference videos, 3 reference audio)
Do not submit private or regulated media unless you are comfortable with RunComfyβs handling terms and retention policies.