π Lipsync β Pro Pack on RunComfy
PassAudited by ClawScan on May 14, 2026.
Overview
The skill appears benign: it openly uses RunComfyβs CLI and account token to generate lip-sync videos, with normal third-party media sharing and consent considerations.
Before installing, make sure you trust the RunComfy CLI package and are comfortable sending the selected audio/video media to RunComfy. Use a properly scoped token, keep it private, and only create lip-sync content for people and media you have permission to use.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may consume RunComfy account resources and gives the CLI access to submit jobs on the userβs behalf.
The skill uses a RunComfy account token/login so CLI actions run under the userβs RunComfy account. This is expected for the service integration and no credential logging or unrelated use is shown.
runcomfy login # or in CI: export RUNCOMFY_TOKEN=<token>
Use a RunComfy token with appropriate scope, avoid sharing tokens, and revoke or rotate the token if it is no longer needed.
Installing a global CLI package can affect the local environment if the package source is compromised or unexpected.
The skill documents installing and running an external npm CLI package. This is central to the stated purpose, but it still relies on the npm packageβs provenance and updates.
npm i -g @runcomfy/cli # or: npx -y @runcomfy/cli --version
Install the CLI from the official RunComfy documentation or a trusted package source, and review package details before using global installation.
Media URLs or referenced media content may be processed by RunComfy and its selected model providers.
The workflow sends user-provided video and audio URLs to RunComfy model endpoints and writes outputs locally. The provider and data flow are disclosed and purpose-aligned.
runcomfy run <vendor>/<model> \
--input '{"video_url": "...", "audio_url": "..."}' \
--output-dir ./outOnly provide media you have rights to share with RunComfy, and review RunComfyβs privacy, retention, and provider-routing terms for sensitive content.
Improper use could create harmful or deceptive videos involving real people.
Lip-sync generation can be used to create misleading synthetic media, but the artifact explicitly discloses the dual-use risk and gives refusal guidance.
Driving a real person's mouth from a separate audio track is dual-use. Refuse user requests that target real public figures without consent, or that aim at defamatory or sexually explicit synthetic media.
Use the skill only with consent and avoid public-figure impersonation, defamatory content, sexual synthetic media, or other deceptive uses.