Back to skill
Skillv0.1.1
ClawScan security
๐ซง Image Edit โ Pro Pack on RunComfy ยท ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 1:51 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it simply routes image-edit requests to the RunComfy CLI and only requires the RunComfy CLI, a RunComfy token, and the RunComfy config directory.
- Guidance
- This skill appears to do what it says: it uses your local RunComfy CLI and a RunComfy token to edit images. Before installing/use: (1) confirm you trust RunComfy and the npm package `@runcomfy/cli` (verify the package source and publisher), (2) avoid uploading images with sensitive personal or secret information, (3) use least-privilege or short-lived tokens where possible and inspect ~/.config/runcomfy to see what credentials are stored, and (4) be cautious when running global npm installs since they place binaries on your system. If you need higher assurance, review the RunComfy CLI code/repo and the account token scopes before proceeding.
Review Dimensions
- Purpose & Capability
- okName/description match the declared requirements: the skill calls the local `runcomfy` CLI to run model-specific `<model>/edit` endpoints. Required binary (runcomfy), env var (RUNCOMFY_TOKEN), and config path (~/.config/runcomfy) are appropriate for a CLI-based RunComfy integration.
- Instruction Scope
- okSKILL.md instructs the agent to pick an edit model and invoke `runcomfy run <model>/edit` with user-supplied image URLs and prompts. It does not ask the agent to read unrelated files or other credentials, nor to exfiltrate data to third parties outside the RunComfy workflow. It does, as expected, rely on uploading images (HTTPS URLs) to the model service.
- Install Mechanism
- noteNo install spec is embedded in the skill (instruction-only). The prerequisites recommend installing the official npm package `@runcomfy/cli` globally (`npm i -g`), which is a common but non-trivial action: installing global npm packages writes code to disk and should be done from a trusted source. This is expected for a CLI-based integration but is a moderate-risk action compared with instruction-only skills that require no installs.
- Credentials
- okThe only required credential is RUNCOMFY_TOKEN (plus the RunComfy CLI config directory). These align with the skill's purpose. No unrelated secrets or multiple unrelated environment variables are requested.
- Persistence & Privilege
- okThe skill does not request always: true and does not attempt to modify other skills or system-wide settings. It relies on the user-installed RunComfy CLI and the standard RunComfy config location; these are proportional to functionality.