ClawHub

Portrait Generator

v1.0.0

Generate hyper-detailed AI portraits via ComfyDeploy Morfeo Portrait workflow. Control every facial feature: eyes, nose, lips, jawline, skin, hair, expressio...

0· 271·2 current·3 all-time
byPaul de Lavallaz@pauldelavallaz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description and SKILL.md align: the skill calls ComfyDeploy's Morfeo Portrait workflow and includes a concrete endpoint and deployment_id. That behavior is coherent with the stated purpose. However the package has no source/homepage and no owner contact, reducing trustworthiness.
Instruction Scope
SKILL.md's runtime instructions are focused: build the JSON body and POST to https://api.comfydeploy.com/api/run/deployment/queue. The instructions (as shown) do not tell the agent to read unrelated local files or environment state. But the document assumes an API key for Authorization without documenting how it will be supplied; the file is also truncated so there may be additional instructions not visible.
Install Mechanism
No install spec and no code files (instruction-only) — low disk/write risk. Nothing will be downloaded or installed by default.
!
Credentials
The headers require 'Authorization: Bearer YOUR_API_KEY' yet requires.env and primary credential fields are empty. The skill does not declare the API key requirement or how it should be provided. This mismatch (requesting a secret in practice but not declaring it) is an incoherence and a privacy/security concern. Also there is no provenance for the service/owner to help you judge whether to supply credentials.
Persistence & Privilege
always is false and there is no indication the skill requests persistent or elevated platform privileges. It does not attempt to modify other skills or system-wide settings in the provided content.
What to consider before installing
This skill appears to be what it says (it POSTs parameters to ComfyDeploy), but there are two red flags: it implicitly requires an API key but does not declare that requirement, and the skill has no source/homepage or other provenance. Before installing: (1) ask the publisher to explicitly list required environment variables (e.g., COMFYDEPLOY_API_KEY) and to document how the key will be used; (2) verify the endpoint and deployment_id with a trusted ComfyDeploy account or documentation; (3) supply only a least-privilege API key or service account you control, and rotate it after testing; (4) avoid sending personally identifying images or real-person likenesses until you confirm privacy/consent and the destination's data retention policy; (5) request the full, untruncated SKILL.md to confirm there are no hidden steps that read local files or other env vars. If the publisher cannot provide provenance and a clear declaration of required credentials, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

facevk97621an3ysyvphvasffvqfvvn824kw6imagevk97621an3ysyvphvasffvqfvvn824kw6latestvk97621an3ysyvphvasffvqfvvn824kw6morpheusvk97621an3ysyvphvasffvqfvvn824kw6portraitvk97621an3ysyvphvasffvqfvvn824kw6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments