Skillv0.1.4

ClawScan security

🫧 Flux Kontext Pro — Pro Pack on RunComfy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 12:04 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with its stated purpose (running the RunComfy CLI to edit images with Flux Kontext); nothing requested is out-of-scope or unexplained.
Guidance: This skill is coherent with its stated function: it runs the RunComfy CLI to perform image edits on the Flux Kontext model. Before installing/use, consider: (1) RUNCOMFY_TOKEN gives the skill permission to use your RunComfy account—verify the token's scope and use an account or token with minimal privileges; (2) images you provide (via public URLs) and resulting outputs will be transmitted to RunComfy's service and stored locally in the output directory—avoid sending sensitive images if privacy is a concern; (3) confirm you trust the @runcomfy/cli package you install (check npm package ownership and checksum) because that binary will perform network I/O and access ~/.config/runcomfy; (4) choose an explicit absolute output directory and ensure the agent is allowed to write only where you expect. Overall this looks like a legitimate, instruction-only integration; follow the above precautions when providing credentials and sensitive input.

Review Dimensions

Purpose & Capability: okThe skill is an instruction-only wrapper for the RunComfy CLI to call blackforestlabs/flux-1-kontext/pro/edit. Requiring the runcomfy binary, the RUNCOMFY_TOKEN, and the RunComfy config path (~/.config/runcomfy) is proportional and expected for this purpose.
Instruction Scope: noteSKILL.md tells the agent to run runcomfy run ... with input including a public image URL and to write results to an output directory. This is consistent with an image-editing skill, but it does imply: (1) the agent will fetch remote images and send them to RunComfy's service (so uploaded image content will leave the local machine), and (2) the agent will write files to whatever --output-dir is supplied. Confirm you want the agent to transmit images to RunComfy and to write outputs to local paths the agent can access.
Install Mechanism: okInstruction-only skill with no install spec and no code files—lowest install risk. SKILL.md advises installing @runcomfy/cli via npm, which is reasonable but is an external step the user must verify.
Credentials: okOnly RUNCOMFY_TOKEN and ~/.config/runcomfy are required. Those are directly related to authenticating and configuring the RunComfy CLI. No unrelated secrets or broad credential requests are present.
Persistence & Privilege: okalways is false and the skill is user-invocable. It does not request persistent system-wide privileges or modify other skills' configs. Autonomous invocation is permitted by default but not excessive here.