Comfyui anfrage
PassAudited by ClawScan on May 10, 2026.
Overview
This skill is a small ComfyUI client that matches its stated purpose, but users should ensure the configured ComfyUI host is trusted because workflows and optional Basic Auth credentials are sent over HTTP.
Before installing or invoking this skill, set the ComfyUI host and port to your own trusted server. If you use COMFYUI_USER and COMFYUI_PASS, avoid reusing important passwords and be aware that the code uses HTTP Basic Auth to the configured endpoint.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Workflow prompts and parameters may be sent to the configured or default LAN host, and that server may spend compute resources generating images.
The skill is designed to send workflow data over HTTP to a configured ComfyUI server, with a non-local private LAN IP as the default. This is consistent with the stated purpose, but users should confirm the target is their intended server.
`COMFYUI_HOST`: Host/IP of the ComfyUI server (default `192.168.179.111`). ... The skill will POST to `http://{host}:{port}/run`Set COMFYUI_HOST and COMFYUI_PORT explicitly to a trusted ComfyUI instance before use, and avoid sending sensitive prompts or workflows to an untrusted server.
If the ComfyUI host or local network is untrusted, the Basic Auth credentials could be exposed or used against that ComfyUI service.
The CLI can use optional environment-provided ComfyUI credentials and sends them as a Basic Auth header. This is expected for authenticated ComfyUI access, but it is credential-bearing network traffic.
const user = getEnv("COMFYUI_USER", "");
const pass = getEnv("COMFYUI_PASS", "");
...
headers["authorization"] = "Basic " + tok;Use dedicated low-privilege ComfyUI credentials if possible, keep the server on a trusted local/VPN network, and consider HTTPS via a trusted reverse proxy if credentials are used.