ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ComfyUI Generator

v1.0.0

Generate AI images and perform style transfers via ComfyUI with batch processing and automated workflow management through OpenClaw integration.

0· 63·1 current·1 all-time
by@nl108
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description (ComfyUI image generation, style transfer, batch processing) align with the included client and prompt-generator code. However SKILL.md and the README reference additional scripts (scripts/file_monitor.py), workflow and config files (workflows/*.json, config/*.yaml), and runtime behavior (file monitoring/archiving) that are not present in the package manifest. Also SKILL.md instructs copying workflows into C:\ComfyUI, which requires filesystem access to an external app directory not managed by the skill. These missing artifacts and external path operations are inconsistent with the declared file list and raise questions about completeness and intent.
!
Instruction Scope
Runtime instructions target a local ComfyUI service (http://127.0.0.1:8188) and include commands to set COMFY_* env vars, copy workflow files into C:\ComfyUI, check the service with curl, and start ComfyUI via python. The instructions are otherwise scoped to local ComfyUI endpoints (no external network endpoints). However SKILL.md mentions file_monitor and several config/workflow files that are missing; that implies the skill expects to read/monitor and archive files in user directories — a scope expansion not supported by the provided code. The instructions also reference user-specific log paths (C:\Users\LEI\.openclaw\logs\) which is a narrow privacy concern and suggests the author tested on a specific machine.
Install Mechanism
There is no install spec (instruction-only install). No downloads, package registry installs, or archive extracts are requested by the manifest. That keeps disk-write/remote-install risk low. The package includes Python scripts which an agent could execute, so normal caution about running third-party scripts applies.
!
Credentials
Registry metadata lists no required environment variables, but both SKILL.md and comfy_client.py use COMFY_BASE_URL, COMFY_API_KEY and suggest COMFY_OUTPUT_DIR. The client will add an Authorization: Bearer header if COMFY_API_KEY is set. Asking for an API key is reasonable for an API client, but the manifest's omission of these env vars is an inconsistency. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request always:true, does not claim to modify other skills or system-wide settings, and has no install steps that persist a background service. It does instruct copying workflows into an external ComfyUI directory, which writes files into another application's area, but that is a functional requirement rather than a persistence-privilege escalation.
What to consider before installing
This skill appears to implement a legitimate ComfyUI client and a prompt generator, but there are notable inconsistencies and missing pieces. Before installing or running it: - Verify provenance: the skill has no homepage and unknown source. Prefer skills with a clear repository and maintainer. - Inspect and obtain missing files: SKILL.md references scripts/file_monitor.py and several workflow/config files that are not included. Ask the publisher for the missing files or a full repo before trusting the package. - Confirm environment variables: the package uses COMFY_BASE_URL, COMFY_API_KEY, and COMFY_OUTPUT_DIR but the registry metadata doesn't declare them. Treat any API key as sensitive; only set it if you understand its scope and origin. - Avoid running as admin: when testing, run in an isolated VM or sandbox and do not run copy commands that write into system or other app directories unless you trust the source. - Review network behavior: comfy_client.py appears to call only the configured base_url (default localhost). Ensure COMFY_BASE_URL is pointed at a local ComfyUI instance and not an external server you don't control. - If you need this skill, request a full source repo or manifest that includes the missing workflow and monitor scripts and ask the author why the metadata omits the used env vars and referenced files. If you cannot obtain satisfactory answers, do not install on sensitive systems.

Like a lobster shell, security has layers — review code before you run it.

comfyuivk973zd3nmch5d2t2vdke1cb8wh84dv5ygenerationvk973zd3nmch5d2t2vdke1cb8wh84dv5yimagevk973zd3nmch5d2t2vdke1cb8wh84dv5ylatestvk973zd3nmch5d2t2vdke1cb8wh84dv5y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments