ClawHub

๐Ÿฉน Image Inpainting โ€” Pro Pack on RunComfy

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is a coherent RunComfy image-inpainting skill, but users should understand it requires a RunComfy login/token, an external CLI, and sending selected image inputs to RunComfy.

This skill appears purpose-aligned and benign. Before installing, make sure you trust the RunComfy CLI package, use a protected RunComfy token, and avoid submitting images or masks that contain sensitive information unless RunComfy's data handling terms meet your needs.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI03: Identity and Privilege Abuse
Low
What this means

Anyone using this skill through the configured environment may be able to run jobs against the user's RunComfy account and potentially consume account credits or access account-scoped outputs.

Why it was flagged

The skill requires a RunComfy login or token so the CLI can submit jobs to the user's RunComfy account. This is expected for the integration, but it is still account authority.

Skill content
runcomfy login              # or in CI: export RUNCOMFY_TOKEN=<token>
Recommendation

Use a dedicated RunComfy token if possible, keep it out of shared environments, and revoke or rotate it if no longer needed.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

Installing or running the CLI executes third-party package code on the user's machine.

Why it was flagged

The skill directs users to install or execute an external npm-distributed CLI. That is purpose-aligned, but the artifact does not pin a version or include the CLI code for review.

Skill content
npm i -g @runcomfy/cli      # or:  npx -y @runcomfy/cli --version
Recommendation

Install the RunComfy CLI from the official source, consider pinning a known-good version, and avoid running it in highly sensitive environments without reviewing the package provenance.

#
ASI07: Insecure Inter-Agent Communication
Low
What this means

Images, masks, and edit prompts may be processed by RunComfy and may also be exposed through any URLs supplied as inputs.

Why it was flagged

The inpainting workflow sends image URLs, mask URLs, and prompts to RunComfy's external service. This is the core purpose of the skill, but users should notice the data boundary.

Skill content
runcomfy run tongyi-mai/z-image/turbo/inpainting \
  --input '{"image": "...", "mask_image": "...", "prompt": "..."}'
Recommendation

Do not use sensitive or private images unless you are comfortable with RunComfy processing them; use controlled, non-public URLs where appropriate.