Skillv0.1.2

ClawScan security

🫧 Video Edit — Pro Pack on RunComfy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 29, 2026, 1:44 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent with a video-editing CLI front-end: it expects the RunComfy CLI, a RUNCOMFY_TOKEN, and a RunComfy config directory and routes edits through the RunComfy service.
Guidance: This skill appears internally consistent for calling the RunComfy CLI to perform cloud-hosted video edits. Before installing or using it: 1) Confirm you trust RunComfy (videos and any metadata will be sent to their service). 2) Verify the CLI package (@runcomfy/cli) on npm — check publisher identity, recent versions, and package audits. 3) Limit RUNCOMFY_TOKEN scope if possible and store it securely; know that whatever account the token represents can be used to submit jobs and consume quota. 4) Inspect ~/.config/runcomfy after login to understand what credentials are stored and where. 5) If you need stronger isolation, run the CLI in a container or ephemeral CI environment. If you want extra assurance, ask the skill author for a concrete provenance link for the CLI binary (e.g., official GitHub release) or for a signed release artifact.

Purpose & Capability: okName/description (video edit) match the declared needs: the skill requires the runcomfy CLI binary, a RUNCOMFY_TOKEN, and a RunComfy config path (~/.config/runcomfy). Those are appropriate for a CLI-based client that submits video edit jobs to RunComfy.
Instruction Scope: okSKILL.md instructs the agent to call the local runcomfy CLI (e.g., `runcomfy run <model>/edit-video`) with a source video URL and edit schema. It does not instruct reading unrelated system files or unrelated environment variables. It will, by design, transmit videos/parameters to RunComfy's service (expected for this purpose).
Install Mechanism: noteThe registry has no formal install spec, but SKILL.md recommends installing the CLI with `npm i -g @runcomfy/cli`. That is a standard npm install instruction (moderate-risk source by nature of npm). No downloads from unknown hosts or archive extraction are present in the skill bundle itself.
Credentials: okOnly RUNCOMFY_TOKEN is required (plus the runcomfy binary and its config dir). These are proportionate: a token is expected to authenticate to RunComfy. There are no unrelated secrets/requested credentials.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated system persistence. It does not ask to modify other skills or system-wide settings. Autonomous invocation is allowed (default) but is normal for skills and not by itself a red flag.