comfyui-runner
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a simple ComfyUI health-check skill, but users should verify the configured host and note that the reviewed code does not actually implement start/stop or basic-auth behavior.
This skill looks safe for checking whether a ComfyUI server is reachable, but configure the host and port yourself, do not assume start/stop actions work, and avoid placing credentials in a .env file unless you have verified that a reviewed version actually supports and needs them.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill will contact the configured or default ComfyUI server and return reachability information.
The skill performs a network request to an environment-configured ComfyUI endpoint, defaulting to a private LAN IP. This is aligned with checking server status, but users should verify the target.
const host = getEnv("COMFYUI_HOST", "192.168.179.111"); ... const url = "http://" + host + ":" + port + "/health"; ... await fetch(url, { method: "GET" });Set COMFYUI_HOST and COMFYUI_PORT explicitly for your own trusted ComfyUI instance before use.
If you create a .env file with a password, it becomes local sensitive configuration, and basic auth may not work because the current code does not use those variables.
The documentation suggests optional credentials may be configured for ComfyUI basic auth. This is purpose-aligned for a protected ComfyUI server, but users should treat those values as sensitive; the reviewed code does not actually consume them.
`COMFYUI_USER`: Optional username for basic auth. `COMFYUI_PASS`: Optional password for basic auth. These can be set via environment variables or a `.env` file in the skill directory.
Only store credentials if necessary, protect any .env file, and verify the skill version actually supports authentication before relying on it.
Requests to start or stop ComfyUI will not control the server, which could mislead a user or agent expecting operational control.
This code conflicts with the SKILL.md description that run and stop actions are supported. It does not show unsafe behavior, but it means the advertised capability is overstated.
if (action !== "status") { process.stdout.write(JSON.stringify({ ok: false, error: "only_status_supported_in_container" }) + "\n"); return; }Treat this version as status-only unless the start/stop implementation is added and reviewed.