ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Comfyui Automation Skill

Automates ComfyUI workflows by collecting required assets, executing tasks via RunningHub API, and returning execution status and results.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 20 · 1 current installs · 1 all-time installs
by@wuxiaosa86-cmd
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (automate ComfyUI workflows via RunningHub) matches the code and instructions which call RunningHub APIs. However registry metadata lists no required credentials while SKILL.md and the implementation explicitly require a RunningHub API key (api_key parameter). Also the package metadata is inconsistent: registry Owner ID differs from _meta.json ownerId and homepage/source are missing, which reduces provenance confidence.
Instruction Scope
SKILL.md and the code instruct the agent/operator to collect materials from the user (text prompts, URLs, file links) and to prompt for an api_key and optional webhook_url. The runtime instructions are interactive (input() prompts in the Python file). The instructions do not attempt to read local system files or unrelated environment variables, and network calls are limited to RunningHub endpoints (base_url = https://www.runninghub.cn/api/v1). However interactive prompting and optional webhook_url introduce opportunities to send user-provided data to external endpoints if misconfigured; the skill also asks to create workflows and persist configuration locally via interactive flows.
Install Mechanism
There is no external installer or download from an untrusted URL; dependencies are standard (python, requests). The skill is distributed as source files (skill.yaml, SKILL.md, python file) so no hidden binary downloads are present. This is low install risk, though the skill will execute Python code that makes network requests.
!
Credentials
The skill requires a RunningHub API key to operate, but the registry entry declares no required environment variables or primary credential. Asking the user to provide an API key at runtime is reasonable, but the metadata omission is inconsistent and could lead to users installing without realizing they must provide a secret. The skill also supports an optional webhook_url which, if provided, could forward notifications or data to a third-party endpoint — this is functional but increases risk if the webhook target is untrusted.
Persistence & Privilege
The skill does not request always:true and does not claim to modify other skills or system-wide settings. It runs as a Python script and uses only its own configuration/interactive state. Autonomous invocation is allowed (platform default) but not combined with always:true or broad credential access.
What to consider before installing
This skill implements its stated function (calls RunningHub to run ComfyUI workflows) but there are several red flags to consider before installing: 1) Metadata mismatch — the registry lists no required credentials but the skill requires a RunningHub API key; confirm where you should store/provide the key and whether the skill will log or transmit it. 2) Provenance is weak — source/homepage are missing and owner IDs in metadata differ; prefer skills with clear authorship or a trusted source. 3) The skill is interactive and may ask for materials, URLs, an API key, and an optional webhook URL — do not provide secrets or private data unless you trust the RunningHub service and the skill author. 4) Review the Python file locally before enabling it: it performs network requests to https://www.runninghub.cn and uses input()/print() flows; ensure no unexpected endpoints or data exfiltration paths are added (especially in the truncated part of the file). If you proceed, restrict the API key scope where possible, test with non-sensitive data, and consider running in an isolated environment.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk979mt52r0j3723p96d9q00k7d830v8t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

comfyui_automation_skill

适用场景

  • 需要自动执行ComfyUI工作流的场景
  • 批量处理图像、视频等素材的自动化任务
  • 需要根据工作流需求收集素材并执行的场景
  • 希望通过API接口控制ComfyUI工作流的场景
  • 需要监控工作流执行状态并获取结果的场景

前置条件

  • 输入要求:工作流标识信息(workflowId或工作流昵称)
  • 环境依赖:Python 3.6+,requests库
  • 权限要求:需要网络访问权限以调用RunningHub API
  • API Key:需要RunningHub API密钥

参数定义

  • workflow_identifier (string): 工作流标识信息,可以是workflowId或工作流昵称
  • api_key (string): RunningHub API密钥
  • webhook_url (string) [optional]: 用于接收任务完成通知的webhook URL

执行步骤

  1. 技能启动阶段:接收用户提供的工作流标识信息
  2. 素材收集阶段:根据工作流需求,向用户索要必要的素材文件
  3. 素材完整性检查:验证所有必要的素材是否已收集完整。如果素材不完整,必须向用户索取完整素材,直到所有必要素材都收集完毕
  4. 执行确认阶段:请求用户确认是否执行运行操作
  5. 工作流执行阶段:使用"ComfyUI任务1-简易"接口执行工作流
  6. 结果反馈阶段:监控执行状态,获取返回结果并反馈给用户

异常处理

  • 异常场景:API调用失败、工作流执行超时、素材格式错误
  • 处理策略
    • API调用失败:重试3次,每次间隔2秒
    • 工作流执行超时:设置300秒超时,超时后返回错误信息
    • 素材格式错误:提示用户重新上传正确格式的素材

最佳实践

  • 确保提供的工作流标识信息正确无误
  • 准备好所有必要的素材文件,确保格式符合工作流要求
  • 在执行前仔细确认工作流参数,避免不必要的资源消耗
  • 定期检查API密钥的有效性

工作流素材映射

工作流素材配置规范

重要: 工作流素材配置必须严格按照以下规范,否则技能创建将失败:

  • 一个 Workflow ID 只能有一行配置
  • 每个 Workflow ID 必须唯一,不得重复
  • 表格格式必须保持整齐,不得有多余的空行或格式错误
  • 所需素材必须用逗号分隔,不得使用其他分隔符

工作流素材配置

以下是常见工作流及其所需素材的映射关系:

Workflow ID工作流名称所需素材
2033490071340453890局部重绘一张图片
wf_789012图像编辑文本提示词,输入图像
wf_345678视频生成文本提示词,参考图像
wf_901234音频处理输入音频,处理参数
wf_567890多模态合成文本提示词,图像,音频

自定义工作流素材

对于自定义工作流,请根据工作流的实际需求配置所需素材,并确保遵循上述规范。

处理未找到的 Workflow ID

如果用户提供的 Workflow ID 不存在,技能将引导用户新建一个工作流。新建工作流的步骤如下:

  1. 提示用户输入新工作流的名称
  2. 询问用户新工作流所需的素材类型
  3. 根据用户输入创建新工作流配置
  4. 保存新工作流配置并使用它执行任务

示例

示例 1:执行指定工作流

  • 用户指令:使用workflowId "wf_123456"执行ComfyUI工作流
  • 预期输出:收集必要素材(文本提示词),执行工作流,返回执行结果

示例 2:使用工作流昵称执行

  • 用户指令:使用工作流昵称 "Image Generator" 执行ComfyUI工作流
  • 预期输出:收集必要素材(文本提示词),执行工作流,返回执行结果

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…