Back to skill
Skillv0.1.1
ClawScan security
𫧠Wan 2.7 β Pro Pack on RunComfy Β· ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 12:05 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's declared requirements and runtime instructions match its stated purpose (running the RunComfy CLI to invoke Wan 2.7); nothing requests or instructs unrelated credentials, installs, or system access.
- Guidance
- This skill is coherent with its description, but before installing: 1) ensure you install the RunComfy CLI from the official source (verify the npm package and docs.runcomfy.com links); 2) treat RUNCOMFY_TOKEN as a secretβstore it in CI/secret manager and grant least privilege; 3) when running the skill, choose a safe output directory (avoid system dirs) and only provide audio_url links for files you own or are allowed to upload; 4) be aware that installing a global npm package runs code from the npm registryβreview package provenance if you have strict supply-chain requirements.
Review Dimensions
- Purpose & Capability
- okName/description (text-to-video with Wan 2.7 on RunComfy) align with the declared runtime requirements: it requires the runcomfy CLI binary, a RUNCOMFY_TOKEN, and the RunComfy config path (~/.config/runcomfy). These are expected and proportionate for a CLI-backed model runner.
- Instruction Scope
- okSKILL.md directs the agent to call the local RunComfy CLI (runcomfy run ...) with JSON input and an output directory. It does not instruct reading unrelated system files or exfiltrating data. It references the RunComfy config and using RUNCOMFY_TOKEN for CI, which is consistent with the service.
- Install Mechanism
- noteThis is instruction-only (no install spec). The prereqs mention installing the RunComfy CLI via `npm i -g @runcomfy/cli`. That is a reasonable installation method, but installing global npm packages pulls code from the npm registry β users should prefer the official package and verify provenance.
- Credentials
- okOnly RUNCOMFY_TOKEN and the RunComfy config path are required. Those are directly relevant to invoking RunComfy. No unrelated tokens or secrets are requested. The token is sensitive, so ensure it has minimal privileges and is stored securely.
- Persistence & Privilege
- okSkill does not request permanent/all-agent inclusion (always: false) and is user-invocable. It will invoke the local CLI at runtime but does not attempt to modify other skills or system-wide settings.