ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Comfy Cli

v1.0.0

Install, manage, and run ComfyUI instances. Use when setting up ComfyUI, launching servers, installing/updating/debugging custom nodes, downloading models from CivitAI/HuggingFace, managing workspaces, running API workflows, or troubleshooting node conflicts with bisect.

2· 2.9k·8 current·8 all-time
by@johntheyoung
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (manage ComfyUI, nodes, models, workflows) aligns with the declared binary ('comfy') and the SKILL.md commands. Mentioned features (model downloads, node management, bisect) reasonably explain needing a CLI and optional model tokens.
Instruction Scope
SKILL.md is an instruction-only manifest that stays inside the claimed domain: installing/launching ComfyUI, managing nodes/models, running workflows. It references storing civitai/hf tokens in its own config and running network operations (download models, feedback, analytics). It does not instruct reading unrelated system files or other credentials, but it does imply network activity and writing tokens to a config file.
!
Install Mechanism
The install spec uses an 'uv' package named 'comfy-cli' which will create the 'comfy' binary. No homepage or source URL is provided in the skill metadata, so it's not possible from this manifest to verify the origin or review the package contents before execution. That increases risk compared with a well-known release host (GitHub, PyPI, etc.).
Credentials
The skill does not require environment variables, which is appropriate. It documents optional civitai/hf tokens (flags or config keys) used only for gated model downloads; requesting those tokens would be proportional to the described functionality. Users should be aware tokens will be stored in the skill's config paths (user home locations listed).
Persistence & Privilege
The skill is not always-enabled, does not request escalated platform privileges, and does not declare modifications to other skills or system-wide configs. It will create/modify its own config in standard per-user locations, which is normal for CLIs.
What to consider before installing
This skill appears to be a legitimate CLI for managing ComfyUI, but the package source is unknown in the registry metadata — there is no homepage or repository URL to inspect. Before installing: 1) Verify the 'comfy-cli' package origin (who publishes the 'uv' package and where its code is hosted). 2) Inspect the package contents or source (if available) to ensure it doesn't perform unexpected network calls or exfiltrate data. 3) Be cautious when supplying gated-model tokens (CivitAI/Hugging Face); these will be stored in the CLI's per-user config files (~/.config or %APPDATA%). 4) Expect network activity (downloading models, PR/front-end caches, feedback/analytics) and that the binary will run background processes and manage Python environments — run in a controlled environment or sandbox if you cannot verify the publisher. If you can obtain a homepage/repository or official release URL for the package, supply that and re-scan; with a verifiable source my confidence would increase.

Like a lobster shell, security has layers — review code before you run it.

latestvk972r9warn90rbmd0gxkvex0ms7zcscd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎨 Clawdis
Binscomfy

Install

Install comfy-cli (uv)
Bins: comfy
uv tool install comfy-cli

Comments