VEED UGC
PassAudited by ClawScan on May 1, 2026.
Overview
This skill’s behavior matches its stated purpose: it sends a user-provided image and script to ComfyDeploy to generate a lip-synced promotional video, but users should notice the external upload and API key use.
This appears safe for its stated purpose, but install it only if you are comfortable running the included Python helper, providing a ComfyDeploy API key, and uploading the selected image and script to ComfyDeploy for processing.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill requires authorizing requests to ComfyDeploy with your API key.
The helper script uses a ComfyDeploy API key even though the registry metadata declares no required environment variables or primary credential.
return os.environ.get("COMFY_DEPLOY_API_KEY") ... parser.add_argument("--api-key", "-k", help="ComfyDeploy API key")Use a dedicated, least-privilege ComfyDeploy key if available, and avoid passing secrets in command histories when possible.
Images of people/products and script text will be shared with the external ComfyDeploy service to create the video.
Local image files and the dialogue script are sent to ComfyDeploy as part of the video generation workflow.
client.post(f"{API_BASE}/file/upload", headers={"Authorization": f"Bearer {api_key}"}, files=files) ... json={"deployment_id": DEPLOYMENT_ID, "inputs": inputs}Only use images and scripts you are comfortable uploading to ComfyDeploy, and review that service’s data handling terms if the content is sensitive.
Running the script with uv may install or use a compatible httpx version from the package ecosystem.
The local helper script declares a runtime Python dependency with a lower-bound version rather than a pinned exact version.
# dependencies = [ # "httpx>=0.25.0", # ]
For stricter reproducibility, pin dependencies or run in an environment where package sources and versions are controlled.