Back to skill
Skillv0.1.2
ClawScan security
๐ซง Image-to-Video โ Pro Pack on RunComfy ยท ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 1:21 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions match its stated purpose: it simply wraps the RunComfy CLI to run image-to-video models and only asks for the RunComfy CLI, a RunComfy token, and the RunComfy config directory.
- Guidance
- This skill appears to do what it says: drive RunComfy's image-to-video models via the runcomfy CLI. Before installing or using it, confirm you trust the RunComfy CLI you install (npm i -g @runcomfy/cli) and that RUNCOMFY_TOKEN is a token issued by RunComfy with only the permissions you expect. Be aware the skill will write output to whatever --output-dir path you provide, so avoid giving it a sensitive system directory. Finally, verify that the token is not reused for other services and that the RunComfy config folder (~/.config/runcomfy) is acceptable to share with the agent.
Review Dimensions
- Purpose & Capability
- okThe name/description (image-to-video via RunComfy) aligns with required binaries (runcomfy), required env var (RUNCOMFY_TOKEN), and the referenced config path (~/.config/runcomfy). There are no unrelated credentials or binaries requested.
- Instruction Scope
- okSKILL.md directs the agent to invoke the RunComfy CLI (runcomfy run <model>/image-to-video) with JSON inputs and to save results to an output directory. It does not instruct reading unrelated system files or exfiltrating data to third-party endpoints beyond RunComfy. It does recommend installing the CLI (npm i -g @runcomfy/cli) and using runcomfy login, which are appropriate for this integration.
- Install Mechanism
- okThis is an instruction-only skill with no automated install spec (lowest install risk). The README suggests installing the RunComfy CLI via npm, but the skill does not auto-download or execute arbitrary code from an untrusted URL.
- Credentials
- okOnly RUNCOMFY_TOKEN and the RunComfy config path are required, which are proportional to calling the RunComfy API/CLI. No unrelated secrets or multiple service credentials are requested.
- Persistence & Privilege
- okThe skill is not always-enabled and is user-invocable; it does not request system-wide persistent privileges, nor does it modify other skills' configs. Autonomous invocation is allowed (platform default) but is not combined with other concerning privileges.