VEED UGC
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: veed-ugc Version: 1.0.1 The `scripts/generate.py` file is designed to upload local image files to `api.comfydeploy.com` for video generation. However, the script takes the `--image` argument directly as a file path without explicit validation or sanitization, making it vulnerable to arbitrary file read/upload. An attacker could potentially provide a path to a sensitive local file (e.g., `/etc/passwd`, `~/.ssh/id_rsa`), leading to its exfiltration to the `comfydeploy.com` service. While the skill's stated purpose requires file upload, this lack of input validation represents a significant vulnerability, classifying it as suspicious rather than benign.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill requires authorizing requests to ComfyDeploy with your API key.
The helper script uses a ComfyDeploy API key even though the registry metadata declares no required environment variables or primary credential.
return os.environ.get("COMFY_DEPLOY_API_KEY") ... parser.add_argument("--api-key", "-k", help="ComfyDeploy API key")Use a dedicated, least-privilege ComfyDeploy key if available, and avoid passing secrets in command histories when possible.
Images of people/products and script text will be shared with the external ComfyDeploy service to create the video.
Local image files and the dialogue script are sent to ComfyDeploy as part of the video generation workflow.
client.post(f"{API_BASE}/file/upload", headers={"Authorization": f"Bearer {api_key}"}, files=files) ... json={"deployment_id": DEPLOYMENT_ID, "inputs": inputs}Only use images and scripts you are comfortable uploading to ComfyDeploy, and review that service’s data handling terms if the content is sensitive.
Running the script with uv may install or use a compatible httpx version from the package ecosystem.
The local helper script declares a runtime Python dependency with a lower-bound version rather than a pinned exact version.
# dependencies = [ # "httpx>=0.25.0", # ]
For stricter reproducibility, pin dependencies or run in an environment where package sources and versions are controlled.