๐ฉน Image Inpainting โ Pro Pack on RunComfy
PassAudited by ClawScan on May 14, 2026.
Overview
This is a coherent RunComfy image-inpainting skill, but users should understand it requires a RunComfy login/token, an external CLI, and sending selected image inputs to RunComfy.
This skill appears purpose-aligned and benign. Before installing, make sure you trust the RunComfy CLI package, use a protected RunComfy token, and avoid submitting images or masks that contain sensitive information unless RunComfy's data handling terms meet your needs.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using this skill through the configured environment may be able to run jobs against the user's RunComfy account and potentially consume account credits or access account-scoped outputs.
The skill requires a RunComfy login or token so the CLI can submit jobs to the user's RunComfy account. This is expected for the integration, but it is still account authority.
runcomfy login # or in CI: export RUNCOMFY_TOKEN=<token>
Use a dedicated RunComfy token if possible, keep it out of shared environments, and revoke or rotate it if no longer needed.
Installing or running the CLI executes third-party package code on the user's machine.
The skill directs users to install or execute an external npm-distributed CLI. That is purpose-aligned, but the artifact does not pin a version or include the CLI code for review.
npm i -g @runcomfy/cli # or: npx -y @runcomfy/cli --version
Install the RunComfy CLI from the official source, consider pinning a known-good version, and avoid running it in highly sensitive environments without reviewing the package provenance.
Images, masks, and edit prompts may be processed by RunComfy and may also be exposed through any URLs supplied as inputs.
The inpainting workflow sends image URLs, mask URLs, and prompts to RunComfy's external service. This is the core purpose of the skill, but users should notice the data boundary.
runcomfy run tongyi-mai/z-image/turbo/inpainting \
--input '{"image": "...", "mask_image": "...", "prompt": "..."}'Do not use sensitive or private images unless you are comfortable with RunComfy processing them; use controlled, non-public URLs where appropriate.