ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Comfyui-Api

v1.1.0

Connects to a ComfyUI server to generate images from prompts, auto-detects URLs, translates Chinese prompts, and supports REST and WebSocket APIs.

1· 2.2k·8 current·8 all-time
by@qqliaoxin
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name, SKILL.md and comfyui.py implement a ComfyUI client (API and WebSocket) which is coherent. However skill.json provides a non-local default server_url (https://wp08.unicorn.org.cn:40000) and default paths (/fb/files/...) that are not referenced in the human-facing SKILL.md and could cause the skill to contact or expose local filesystem data to an unexpected external host. Those defaults are not justified by the README and are disproportionate to a simple 'set_url + generate' helper.
!
Instruction Scope
SKILL.md describes only connecting to a server and submitting prompts. The Python implementation exposes additional capabilities not surfaced in SKILL.md (system stats, arbitrary history/queue operations, upload_file which reads local files and posts them). The instructions do not warn about reading or uploading local files, so the skill's runtime scope is broader than documented.
Install Mechanism
No install spec — instruction-only plus a code file. This minimizes installer risk because nothing is downloaded at install time. The skill does import aiohttp and websockets, which must be present at runtime but are not installed by the skill.
!
Credentials
The skill requests no environment variables, but skill.json sets a non-local default server_url. That default effectively gives the skill a remote endpoint by default; combined with code that can upload files and call many endpoints, this is disproportionate and could result in unexpected data transmission if the default is used. No credentials are declared, but the presence of file-path defaults suggests possible access to local resources.
Persistence & Privilege
The skill is not marked always:true and has no explicit privilege escalation flags, but model invocation is enabled by default (disable-model-invocation not set). That means the agent/model could call this skill autonomously and contact whatever server_url is configured (including the suspicious default). Consider disallowing autonomous invocation if you don't trust the endpoint.
What to consider before installing
This skill implements a ComfyUI client and is plausible for generating images, but exercise caution before enabling it: - Inspect and override the configured server_url; do not rely on the packaged default (https://wp08.unicorn.org.cn:40000) unless you trust that host. If you don't set a server_url, verify how your agent framework supplies defaults. - The code can read local files (upload_file) and POST them to the configured server. Avoid running it with access to sensitive files, and don't let it run with filesystem permissions you wouldn't grant to a networked client. - Consider disabling autonomous model invocation (set disable-model-invocation) so the model cannot call the skill without an explicit user request. - If you plan to use it, run it in a sandbox or network-restricted environment first, and/or change the default server to a local ComfyUI instance you control (e.g., https://localhost:8188). - If you need more assurance, ask the author why the skill.json defaults point to that external domain and to /fb/files/... paths, and request a signed/official release or a version that omits remote defaults.

Like a lobster shell, security has layers — review code before you run it.

latestvk97846t3j8y5xm6gkpqpzrwn0h80e8pp
2.2kdownloads
1stars
2versions
Updated 17h ago
v1.1.0
MIT-0
@qqliaoxin
latest
Download

ComfyUI Skill - 智能图像生成

自动检测 URL 设置,直接输入提示词即可生成图片。

自动检测

用户输入包含 URL 时自动设置连接:

设置连接 https://localhost:8188
set url: https://localhost:8188

直接使用

设置连接后,直接发送提示词:

生成一只可爱的猫
a beautiful sunset over mountains

API 端点

REST API (HTTPS)

方法端点说明
POST{server}/api/prompt提交工作流
GET{server}/history/{id}获取结果
GET{server}/view?filename=xxx获取图像

WebSocket (WSS)

  • URL: wss://{server}/ws
  • 发送: {"prompt": {...}, "client_id": "xxx"}
  • 接收: executing, executed, status

命令

命令说明
set_url <url>手动设置服务器地址
status检查服务器状态
generate <提示词>生成图像

中文翻译

自动将中文提示词转换为英文:

  • "可爱的猫" → "masterpiece, best quality, high resolution, cute cat"
  • "美丽的日落" → "masterpiece, best quality, high resolution, beautiful sunset"

示例

# 设置连接 (多种方式)
设置连接 https://localhost:8188
set_url https://localhost:8188

# 直接生成
生成一只可爱的猫
a beautiful sunset over mountains

# 查看状态
status

Comments

Loading comments...