Back to skill
Skillv0.1.4
ClawScan security
๐ซง Flux 2 Klein โ Pro Pack on RunComfy ยท ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 12:04 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are consistent with its stated purpose (invoking the RunComfy CLI to run Flux 2 Klein); nothing requested looks unrelated or excessive.
- Guidance
- This skill appears coherent and only uses the RunComfy CLI; before installing, ensure you trust RunComfy and the runcomfy CLI you install. The RUNCOMFY_TOKEN grants access to your RunComfy account (billing, models, uploads) and the CLI will read/write ~/.config/runcomfy and download model outputs into any output directory you supply โ avoid running it in environments with sensitive data or broad filesystem access. If you want least privilege, create a separate RunComfy token/account for automated use, confirm the npm package source (@runcomfy/cli) is legitimate, and be mindful that autonomous agent invocation remains enabled by default (disable it in your agent settings if you prefer manual control).
Review Dimensions
- Purpose & Capability
- okName/description: image generation with Flux 2 Klein on RunComfy. Declared requirements (runcomfy binary, RUNCOMFY_TOKEN, ~/.config/runcomfy) and SKILL.md all focus on invoking the RunComfy CLI and passing prompts to the model; these are proportionate and expected.
- Instruction Scope
- okSKILL.md instructs the agent to run the local runcomfy CLI with model-specific input, poll results, and download model-hosted URLs into a user-provided output directory. It does not instruct collecting unrelated system files or unrelated environment variables. It does rely on the CLI performing network I/O and reading its own config (expected).
- Install Mechanism
- okThis is an instruction-only skill with no install spec. The README suggests installing the official @runcomfy/cli via npm as a prerequisite; nothing in the skill automatically downloads or executes code from an untrusted URL.
- Credentials
- okOnly RUNCOMFY_TOKEN and the runcomfy config path (~/.config/runcomfy) are required; both are appropriate for a CLI that authenticates to RunComfy. The skill does not request unrelated credentials or extra environment variables.
- Persistence & Privilege
- okalways is false and the skill does not declare system-wide changes. The skill will cause the CLI to read its own config and write output files to whatever output-dir the agent is asked to use, which is expected behavior for a CLI-driven image generation skill.