Back to skill
Skillv0.1.5
ClawScan security
๐ซง HappyHorse 1.0 โ Pro Pack on RunComfy ยท ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 1:18 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions align with its stated purpose (calling the RunComfy CLI to run the HappyHorse text-to-video model); nothing requested or instructed appears disproportionate or unrelated.
- Guidance
- This skill appears to do exactly what it says: run the RunComfy CLI to generate HappyHorse videos. Before installing, confirm you trust RunComfy (RUNCOMFY_TOKEN grants the CLI access to your account and could incur billing). Make sure you have the official runcomfy CLI installed from a trusted source (npm @runcomfy/cli) and that you supply a safe output directory for downloads. Note the skill will route explicit 'HappyHorse' requests directly to the model (it won't second-guess model choice), and the CLI will download provider-hosted files (domains like runcomfy.com / runcomfy.net) into the path you supply. If you need stricter control, avoid granting the token to shared agents or require explicit confirmation before the skill invokes the CLI.
Review Dimensions
- Purpose & Capability
- okName/description (text-to-video HappyHorse on RunComfy) match the declared requirements: a runcomfy CLI binary, RUNCOMFY_TOKEN, and the RunComfy config path. These are the credible, minimal pieces needed to call the provider's CLI and fetch generated videos.
- Instruction Scope
- okSKILL.md contains concrete CLI invocation examples that submit a prompt and download provider-hosted outputs to a user-specified output directory. It does not instruct reading unrelated system files, sweeping environment variables, or exfiltrating data to unexpected endpoints. It does instruct routing explicit 'HappyHorse' requests directly to the model without model-selection checks, which is intended behavior but worth noting.
- Install Mechanism
- okThis is an instruction-only skill (no install spec, no code files). The README suggests installing the official @runcomfy/cli via npm, which is a conventional install path for a CLI and consistent with the declared required binary.
- Credentials
- okOnly RUNCOMFY_TOKEN and the RunComfy config path are required. Those credentials/config entries are appropriate and expected for a CLI that authenticates to RunComfy; no unrelated secrets or excessive environment access are requested.
- Persistence & Privilege
- okThe skill is not forced-always, and autonomous invocation is the platform default. The skill does not request persistent system-wide privileges or attempt to modify other skills or global agent settings.