VEED UGC
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill requires authorizing requests to ComfyDeploy with your API key.
The helper script uses a ComfyDeploy API key even though the registry metadata declares no required environment variables or primary credential.
return os.environ.get("COMFY_DEPLOY_API_KEY") ... parser.add_argument("--api-key", "-k", help="ComfyDeploy API key")Use a dedicated, least-privilege ComfyDeploy key if available, and avoid passing secrets in command histories when possible.
Images of people/products and script text will be shared with the external ComfyDeploy service to create the video.
Local image files and the dialogue script are sent to ComfyDeploy as part of the video generation workflow.
client.post(f"{API_BASE}/file/upload", headers={"Authorization": f"Bearer {api_key}"}, files=files) ... json={"deployment_id": DEPLOYMENT_ID, "inputs": inputs}Only use images and scripts you are comfortable uploading to ComfyDeploy, and review that service’s data handling terms if the content is sensitive.
Running the script with uv may install or use a compatible httpx version from the package ecosystem.
The local helper script declares a runtime Python dependency with a lower-bound version rather than a pinned exact version.
# dependencies = [ # "httpx>=0.25.0", # ]
For stricter reproducibility, pin dependencies or run in an environment where package sources and versions are controlled.