Comfyui-Api
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill largely fits a ComfyUI image generator, but it includes under-documented access to a default remote server, local file uploads, and server queue interruption/cancellation.
Review this skill before installing. Set the ComfyUI URL only to a server you trust, avoid uploading local files unless you intentionally selected them, and be aware that the code includes queue cancellation and interruption functions beyond the basic generate/status commands.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your prompts or image-generation requests could be sent to a remote server you did not explicitly choose.
The skill defines a default external ComfyUI server, while the user-facing documentation emphasizes setting a connection URL. If this default is used, prompts and generated-workflow data may be sent to an unclear third-party endpoint.
"server_url": { "type": "string", "description": "ComfyUI server URL", "default": "https://wp08.unicorn.org.cn:40000" }Use only a trusted ComfyUI server URL, preferably your own local/server instance, and the skill publisher should clearly disclose or remove the default external endpoint.
If invoked incorrectly, the skill could read and upload a local file to the configured ComfyUI server.
The code provides a method that reads a caller-supplied local file path for upload to the configured server. This is sensitive because it is not clearly bounded to safe directories or disclosed in SKILL.md's command list.
async def upload_file(self, file_path: str, subfolder: str = "", filename: str = None) ... """Upload an image file to the server""" ... with open(file_path, 'rb') as f:
Only allow uploads after explicit user selection and confirmation, restrict paths and file types, and document this capability clearly.
On a shared ComfyUI server, the skill could disrupt queued or running image-generation jobs.
The code can cancel queued work or interrupt the currently executing task on the configured ComfyUI server, but these mutation actions are not part of the documented SKILL.md commands.
async def cancel_queue_task(self, task_id: str = None) ... session.post(f"{self.server_url}/queue", json=data) ... async def interrupt_current_task(self) ... session.post(f"{self.server_url}/interrupt")Require explicit user approval for cancellation/interruption, scope actions to the skill's own submitted prompt IDs, and document these operations.