🧰 RunComfy CLI — Pro Pack on RunComfy
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill must protect the RunComfy token because it lets the CLI act as the user on RunComfy.
The skill requires a RunComfy token and persistent local auth storage. This is expected for using the RunComfy CLI, but it grants account-level access to the service.
export RUNCOMFY_TOKEN=<token-from-runcomfy.com/profile> ... Token saved to ~/.config/runcomfy/token.json with mode 0600
Use a scoped or revocable RunComfy CLI token where possible, avoid sharing logs that include tokens, and rotate the token if it may have been exposed.
Installing the CLI gives code from the package source the ability to run on the user’s machine.
The skill relies on installing and running an external CLI package. This is central to the purpose and the artifact includes an inspection warning, but users still depend on the package source.
npm i -g @runcomfy/cli ... npx -y @runcomfy/cli --version ... A standalone curl-pipe installer also exists ... Inspect any install script before piping it into a shell.
Install only from RunComfy’s official documentation or trusted package managers, verify the package name and publisher, and inspect any shell installer before use.
The agent can submit RunComfy model jobs and save generated outputs locally when the user asks it to use the skill.
The skill enables external RunComfy model requests and local file downloads through the CLI. This matches the stated purpose, but it is still a meaningful action using the user's account and filesystem.
call any text-to-image, video, edit, lip-sync, face-swap, or LoRA-training endpoint on RunComfy with `runcomfy run <model_id> --input '{...}'` ... By default the result is downloaded to the current directory.Review prompts, model IDs, and output paths before running commands, and use --output-dir or --no-download when you want tighter control over saved files.