ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Thor Generator

v1.0.0

Generate high-quality images locally using the ComfyUI Thor pipeline from user-provided text prompts.

0· 962·3 current·3 all-time
by@thortheai1-hash
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The description says 'generate images locally with ComfyUI Thor', which matches the SKILL.md command. However the metadata declares no required binaries or config paths, while the instructions assume ~/ComfyUI exists, a venv at venv/bin/activate, python3 is available, and a local script thor_generate_image.py is present. Those are reasonable runtime requirements for this purpose but should have been declared; the omission is an inconsistency.
!
Instruction Scope
SKILL.md instructs the agent to run a shell command via exec that cd's into ~/ComfyUI, activates a venv, and runs a local Python script with the user prompt and an output path. That is within the stated purpose but it gives the agent the ability to execute arbitrary code contained in thor_generate_image.py and to read/write the user's filesystem (~/ComfyUI, ~/Desktop/bring_img). The instructions do not include checks, fallbacks if paths are missing, or a requirement to inspect the script first.
Install Mechanism
There is no install spec and no code files bundled with the skill (instruction-only). That minimizes install-time risk because nothing is downloaded or written by the skill itself.
Credentials
The skill requests no environment variables or credentials, which is proportionate. However it implicitly requires local resources (Python, a virtualenv, the ComfyUI repo and a script) that are not declared in requires.* metadata. The absence of declared requirements makes it harder to judge whether the requested filesystem access is appropriate.
Persistence & Privilege
always:false and no install means the skill does not request persistent/system-wide privileges or automatic inclusion. It does ask the agent to execute a command when invoked, which is the normal behavior for instruction-only skills.
What to consider before installing
This skill tells the agent to run a local shell command that activates a virtualenv and executes thor_generate_image.py in ~/ComfyUI — before installing or enabling it: 1) Verify ~/ComfyUI, the venv, and thor_generate_image.py actually exist on the target machine. 2) Inspect the contents of thor_generate_image.py to ensure it only performs the expected image-generation steps and does not exfiltrate data or run other system commands. 3) Ensure python3 and the virtualenv are from trusted sources. 4) Consider running the exact command manually in a controlled environment to observe behavior and outputs. 5) If you cannot inspect or verify the script/repo, treat the skill as risky and avoid granting the agent execution rights. Providing explicit declared requirements (python3, path to ComfyUI, and the script) or bundling the script for review would reduce the concern.

Like a lobster shell, security has layers — review code before you run it.

latestvk975tjzw0awy57c93azqfgf97981qvgk
962downloads
0stars
1versions
Updated 7h ago
v1.0.0
MIT-0
@thortheai1-hash
latest
Download

Thor Image Generation Skill

This skill allows the assistant to generate high-quality images using the local ComfyUI "Thor" pipeline.

System Capabilities

  • Model: ComfyUI / Thor
  • Input: String (Prompt)
  • Output: Image file saved to ~/Desktop/bring_img

Execution Protocol

When the user asks to generate an image, the assistant MUST execute the following command via the exec tool:

cd ~/ComfyUI && source venv/bin/activate && python3 thor_generate_image.py "{{prompt}}" ~/Desktop/bring_img

Comments

Loading comments...