comfyui-agent-skill-mie
PassAudited by VirusTotal on May 4, 2026.
Overview
Type: OpenClaw Skill Name: comfyui-agent-skill-mie Version: 1.0.0 The comfyui-agent-skill-mie bundle is a well-structured tool designed to allow an AI agent to interact with a ComfyUI server for image, video, and audio generation. The code implements a robust 'registered workflow' system, which prevents the execution of arbitrary, unreviewed ComfyUI graphs, significantly reducing the risk of server-side exploitation. It includes comprehensive 'preflight' and 'doctor' checks (scripts/comfyui/preflight.py, scripts/comfyui/cli_admin.py) to validate server capabilities before submission. The SKILL.md instructions are defensive, explicitly forbidding the agent from guessing ports or running unreviewed JSON. No evidence of data exfiltration, malicious persistence, or unauthorized remote execution was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run local commands that consume compute resources and create generated media files.
The skill instructs the agent to run a local CLI, which is expected for this purpose, and it also scopes use to reviewed workflows.
Source mode: use `uv run --no-sync python -m comfyui` ... Use registered workflows only. Do not run arbitrary unreviewed ComfyUI workflow JSON.
Use the skill only for requested generation tasks, keep the registered-workflow restriction, and avoid arbitrary workflow JSON unless it has been reviewed.
Installing the package gives the CLI code local execution ability in the user's environment.
The skill recommends installing executable code from an external package source; this is normal for the CLI workflow but should be verified because the registry install spec is empty.
Recommended install (tool-install mode): ```bash pipx install comfyui-agent-skill-mie ```
Install only from the expected package/repository, prefer pinned or reviewed versions where possible, and review package provenance before use.
Private prompts or input images could be exposed to whoever controls the configured ComfyUI endpoint.
Prompts and, for image workflows, selected local images may be sent to the configured ComfyUI server.
Supports image, video, music, and speech generation on a local or trusted self-hosted ComfyUI server (default http://127.0.0.1:8188).
Use only a local or trusted self-hosted ComfyUI server, and do not point the skill at untrusted public endpoints.
A saved server URL could cause later generations to use that same endpoint.
The skill can persist a server URL that affects future runs, but the instructions require explicit user intent and prefer one-off configuration.
Do not create or edit `config.local.json` unless the user explicitly wants a persistent server URL. For one-off runs, use `--server` or `COMFYUI_URL`.
Save a persistent server URL only when you intend future runs to use it; otherwise use the per-command `--server` option.