UGC Manual
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to do its stated lip-sync job, but it sends the provided image/audio to ComfyDeploy and needs an API key and ffmpeg despite the metadata not declaring them.
This skill is reasonable to install if you trust ComfyDeploy and the publisher for processing your image and audio. Before using it, make sure you are comfortable uploading the media, set a limited ComfyDeploy API key if available, install ffmpeg from a trusted source, and avoid using highly sensitive recordings or sharing run logs that may contain media URLs.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your provided image and audio may be processed and stored by an external service, and media URLs may appear in command output.
The script uploads user-provided local files to an external ComfyDeploy API before queuing the workflow. This is consistent with the lip-sync service purpose, but it means face images and voice/audio leave the local environment.
COMFY_DEPLOY_API_URL = "https://api.comfydeploy.com/api" ... response = requests.post(f"{COMFY_DEPLOY_API_URL}/file/upload", headers=headers, files=files)Use only media you are comfortable sending to ComfyDeploy, review the provider's privacy/retention terms, and avoid sharing logs that contain generated media URLs.
The skill will not work without a ComfyDeploy key, and using it may authorize uploads or workflow runs under that account.
The code requires a ComfyDeploy API key and uses it for bearer-token API calls, while the registry metadata lists no required env vars or primary credential. The credential use is purpose-aligned, but under-declared.
api_key = os.environ.get("COMFY_DEPLOY_API_KEY") ... "COMFY_DEPLOY_API_KEY environment variable is required."Provide a scoped ComfyDeploy key if possible, monitor account usage or credits, and revoke the key when no longer needed.
The skill depends on a local ffmpeg installation and will process the supplied audio file through that binary.
The script invokes the local ffmpeg binary to convert audio. This is directly related to the stated function and uses an argument list rather than shell execution, but ffmpeg is not declared in the registry requirements.
cmd = ["ffmpeg", "-y", "-i", input_path, "-ac", "1", "-ar", "48000", "-c:a", "pcm_s16le", output_path] ... subprocess.run(cmd, capture_output=True, text=True, check=True)
Install ffmpeg from a trusted source and run the skill only on media files you intended to process.