Comfyui Automation Skill
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears purpose-aligned for automating ComfyUI jobs through RunningHub, but users should notice that it uses a RunningHub API key, uploads selected local files, and may send completion callbacks to a webhook.
Before installing, confirm you trust the publisher enough to run its Python code and provide a RunningHub API key. When using it, carefully check workflow parameters, local file paths, and any webhook URL before confirming execution.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can act through the RunningHub account associated with the API key, including running workflows and related API operations.
The skill requires a RunningHub API key and correctly marks it as sensitive; this is expected for RunningHub API automation, but it gives the skill delegated access to the user's RunningHub account.
api_key:
type: string
description: "RunningHub API密钥"
required: true
sensitive: trueUse a dedicated or least-privileged RunningHub API key if available, rotate it if exposed, and only provide it to skills you trust.
If the wrong path is provided, a private local file could be uploaded to RunningHub.
The implementation uploads a user-specified local file to RunningHub. This matches the documented image/material upload feature, but local file uploads are a sensitive data flow.
with open(file_path, 'rb') as f:
files = {'file': (filename, f, 'application/octet-stream')}
...
response = requests.post(
upload_url,
headers=upload_headers,
files=files
)Before confirming a run, verify that every local file path points only to the intended image or asset.
Completion information may be sent to the configured webhook endpoint if that option is used.
The skill accepts an optional webhook URL for task completion notifications. This is disclosed and optional, but webhook destinations can be external systems with their own access and data-handling risks.
`webhook_url` (string) [optional]: 用于接收任务完成通知的webhook URL
Only use webhook URLs you control or trust, and avoid sending workflow details to public or shared endpoints unless intended.
Users have less external provenance information for deciding whether to trust the code and publisher.
The registry information does not provide a source repository or homepage. The included artifacts are coherent, but provenance is limited for a networked Python skill.
Source: unknown Homepage: none
Prefer installing from a known publisher or review the included files before providing credentials or uploading private assets.