Back to skill
Skillv1.0.0
ClawScan security
ComfyUI TTS · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 13, 2026, 10:35 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required tools are consistent with a local ComfyUI TTS integration and do not request unrelated credentials or reach out to unexpected external endpoints.
- Guidance
- This skill appears to do what it says: it sends TTS jobs to a ComfyUI server and downloads resulting audio. Before installing or running: (1) verify you intend to connect to the configured COMFYUI_HOST/COMFYUI_PORT — default is localhost; avoid pointing it at untrusted public hosts; (2) review the included scripts (scripts/tts.sh) if you have stricter security requirements; (3) be aware generated audio files are referenced by the ComfyUI output directory and the script may download files to paths you supply; (4) note the SKILL.md mentions environment variables (COMFYUI_HOST, COMFYUI_PORT, COMFYUI_OUTPUT_DIR) but the registry metadata did not declare them — set these explicitly as needed. If you plan to run against a remote ComfyUI instance, ensure that instance is trusted, since the script will send the text you provide to that server.
Review Dimensions
- Purpose & Capability
- okName/description (ComfyUI TTS) match the delivered artifacts: two shell scripts implement submitting a workflow to ComfyUI, polling /history, and retrieving audio. Required binaries (curl, jq) are reasonable for the stated purpose.
- Instruction Scope
- noteRuntime instructions and the scripts focus on contacting the ComfyUI endpoints (/prompt, /history, /view) and handling audio files. Minor inconsistency: SKILL.md documents environment variables (COMFYUI_HOST, COMFYUI_PORT, COMFYUI_OUTPUT_DIR) that are used by the scripts but were not declared in the skill's registry 'required env vars' metadata — this is informational, not evidence of hidden behavior. The scripts do not read unrelated system files or transmit data to third-party hosts beyond the configured COMFYUI_URL.
- Install Mechanism
- okNo install spec; this is instruction-only with included shell scripts. No downloads or remote installers are used, so nothing arbitrary is fetched or written by the skill itself during installation.
- Credentials
- noteThe skill requests no credentials and only uses optional environment variables for the ComfyUI host/port/output. The lack of declared required env vars in registry metadata is a small mismatch with SKILL.md but not disproportionate: the env vars merely point the script at a ComfyUI server and do not grant access to unrelated services or secrets.
- Persistence & Privilege
- okalways is false and the skill does not request persistent/privileged system changes. It does not attempt to modify other skills or global agent settings.