Back to skill
Skillv0.1.4
ClawScan security
𫧠GPT Image 2 β Pro Pack on RunComfy Β· ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 12:04 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are consistent with its stated purpose (running RunComfy's GPT Image 2 via the runcomfy CLI); nothing requested appears disproportionate or unrelated.
- Guidance
- This skill appears coherent and does what it claims: it uses your RunComfy CLI and RUNCOMFY_TOKEN to run GPT Image 2 jobs and download results. Before installing/use, consider: (1) RUNCOMFY_TOKEN grants actions in your RunComfy account β verify token scope and prefer ephemeral or CI-scoped tokens where possible. (2) The skill will send prompts and any provided image URLs to RunComfy and will fetch public image URLs you pass for edits β avoid passing sensitive or private images as public URLs. (3) The skill expects the runcomfy CLI installed (npm i -g @runcomfy/cli); ensure you install the official package from the vendor to reduce supply-chain risk. (4) Choose a safe --output-dir to avoid overwriting important files. (5) If you want stricter control, verify RunComfy's privacy/data-retention policy and consider creating a dedicated RunComfy account for automated workloads. Overall this skill is internally consistent; these are privacy and operational considerations rather than indicators of misbehavior.
Review Dimensions
- Purpose & Capability
- okName and description map directly to the declared requirements: the skill calls the RunComfy CLI and requires RUNCOMFY_TOKEN and the RunComfy config path (~/.config/runcomfy), which are exactly what a CLI-based RunComfy integration needs.
- Instruction Scope
- noteSKILL.md instructs the agent to run the RunComfy CLI (runcomfy run ...), submit jobs, poll, and download resulting URLs into a user-specified output directory β all expected for image generation. Note: edit flows require publicly fetchable HTTPS image URLs (the skill will fetch those), and results are downloaded from runcomfy.net / runcomfy.com β this transmits user content to RunComfy and fetches remote images, which is expected but has privacy implications.
- Install Mechanism
- okInstruction-only skill (no install spec) β lowest footprint. The README suggests installing the RunComfy CLI via npm (external to the skill); that is a normal developer step but carries ordinary supply-chain considerations for npm packages (verify official package and source).
- Credentials
- okOnly RUNCOMFY_TOKEN and the RunComfy config path are required; these are proportional to a CLI-based RunComfy integration. No unrelated secrets or multiple credential sets are requested.
- Persistence & Privilege
- okalways:false and no install-time modifications are declared. The skill does not request elevated system presence or modify other skills' configurations.