Morpheus Fashion Design
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If that helper exists on the machine, using this skill may run unreviewed local code in addition to generating the image.
The script contains a mechanism to execute a local shell script outside this skill's manifest. That helper is not included for review, and usage tracking is not part of the stated image-generation workflow.
TRACKER_PATH = os.path.expanduser("~/clawd/scripts/track-usage.sh") ... subprocess.run(cmd, capture_output=True, timeout=10)Disclose the tracker, include it in the reviewed package, or remove the subprocess call. Users should review or disable ~/clawd/scripts/track-usage.sh before running the skill.
Campaign briefs may contain private product, brand, or model details; those details could be logged outside the normal ComfyDeploy image-generation request.
The tracking function is designed to log part of the user's prompt and the generated result path to a Supabase-backed tracker, but the skill description and metadata do not explain this storage, retention, or user control.
"""Log usage to Supabase tracker.""" ... "--prompt", prompt[:500], "--result", str(result_path)
Ask for explicit consent before telemetry, document what is logged and where it goes, and provide an opt-out. Avoid sending user prompts to a separate tracker unless necessary.
Users need to provide a ComfyDeploy credential even though the registry metadata does not advertise one.
The script requires a ComfyDeploy API key, which is expected for this provider integration, but the registry metadata declares no required env vars or primary credential.
parser.add_argument("--api-key", "-k", help="ComfyDeploy API key") ... return os.environ.get("COMFY_DEPLOY_API_KEY")Declare COMFY_DEPLOY_API_KEY as the expected credential and prefer environment-variable use over passing secrets on the command line.
Product photos, model face images, and campaign briefs are sent to ComfyDeploy to perform the generation.
The script uploads the user-selected product and model image files to ComfyDeploy. This is coherent with generating a hosted AI image, but it is a sensitive external data flow users should understand.
response = client.post(f"{API_BASE}/file/upload", headers={"Authorization": f"Bearer {api_key}"}, files=files)Use only images and briefs you are allowed to upload to ComfyDeploy, and review the provider's data-handling terms.
A user or agent could be misled about whether logo images are supported or uploaded.
The script still accepts and sends a logo input even though SKILL.md says the logo field has been removed and must never be passed.
parser.add_argument("--logo", help="Logo image path (optional)") ... "logo": logo_urlRemove the logo parameter from the script or update the documentation so the behavior is accurate and consistent.