Back to skill
Skillv0.1.4
ClawScan security
๐ซง GPT Image Edit โ Pro Pack on RunComfy ยท ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 12:04 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requested binaries, env var, config path, and runtime instructions are coherent with its stated purpose of invoking RunComfy's CLI to call the OpenAI GPT Image 2 /edit endpoint.
- Guidance
- This skill is internally consistent, but note: using it sends images and edit instructions to the RunComfy service / OpenAI model backend โ review RunComfy/OpenAI privacy and data-retention policies before sending sensitive images. Protect your RUNCOMFY_TOKEN (use short-lived or scoped tokens if supported), avoid embedding secrets in image URLs, and verify you trust the @runcomfy/cli npm package you install. If you need edits on private local files, prefer workflow that explicitly uploads from a controlled environment rather than pasting internal URLs into the skill.
Review Dimensions
- Purpose & Capability
- okName/description say it calls RunComfy's GPT Image 2 /edit via the RunComfy CLI; the skill requires the runcomfy CLI, RUNCOMFY_TOKEN, and the RunComfy config path โ all expected and proportional to that purpose.
- Instruction Scope
- okSKILL.md contains concrete runcomfy CLI commands, input schema, and examples. It restricts images to public HTTPS URLs and directs outputs to a user-specified output directory. It does not instruct reading unrelated files or env vars beyond RUNCOMFY_TOKEN / RunComfy config.
- Install Mechanism
- okInstruction-only skill with no install spec or archived downloads. The README suggests installing @runcomfy/cli from npm and using runcomfy login or RUNCOMFY_TOKEN โ standard, low-risk guidance.
- Credentials
- okRequires a single service token (RUNCOMFY_TOKEN) and the RunComfy config path; these are expected for a CLI wrapper that authenticates to RunComfy. No unrelated credentials or broad system secrets requested.
- Persistence & Privilege
- okalways:false (default) and no instructions to modify other skills or system-wide agent settings. The skill uses the standard RunComfy config location (~/.config/runcomfy) which is appropriate for the CLI's operation.