𦴠ControlNet & Pose β Pro Pack on RunComfy
PassAudited by ClawScan on May 14, 2026.
Overview
This skill appears coherent and purpose-aligned, but it requires a RunComfy account token and sends user-selected media references to RunComfy for generation.
This skill looks safe to use for its stated purpose if you trust RunComfy and the official runcomfy CLI. Before installing, confirm the npm package source, understand that your RunComfy token enables account actions, and avoid sending private media or prompts unless you are comfortable with RunComfy processing them.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the CLI gives that package code execution under the user's account.
The skill directs the user to install or run an npm-distributed CLI. This is purpose-aligned, but package installation executes third-party code in the user's environment.
npm i -g @runcomfy/cli # or: npx -y @runcomfy/cli --version
Install the RunComfy CLI only from official RunComfy/npm sources, verify the package name, and avoid running it with elevated privileges unless necessary.
The skill can act through the user's RunComfy account when the token/config is available.
The skill requires a RunComfy token or login configuration for authenticated API use. This is expected for the stated RunComfy integration.
Required env vars: RUNCOMFY_TOKEN ... Required config paths: ~/.config/runcomfy
Use a token with the minimum needed access, keep it private, and revoke it if you stop using the skill.
Reference videos, character images, prompts, and generated outputs may be processed by RunComfy or accessible through the URLs the user provides.
The documented workflow sends user-provided media URLs and prompts to RunComfy model endpoints and stores generated outputs locally.
runcomfy run <vendor>/<model> ... --input '{"reference_video_url": "...", "character_image_url": "..."}' ... --output-dir ./outOnly provide media and prompts you are comfortable sending to RunComfy, and prefer controlled or expiring URLs for private assets.
Running the skill may create RunComfy jobs, consume account credits or quota, and write generated files to the chosen output directory.
The skill's main function is to invoke RunComfy model jobs through a local CLI. This is disclosed and central to the skill, but it can initiate external generation work.
runcomfy run kling/kling-2-6/motion-control-pro ... --output-dir ./out
Review the selected model, inputs, and output directory before running generation, especially if your RunComfy account has paid usage.