Comfyui Workflow
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a coherent ComfyUI workflow executor, but users should notice that it can run local Python scripts, send prompts/media to a configured ComfyUI server, use an optional server token, and cache local setup details.
Before installing, confirm you trust the ComfyUI server you will target, keep any ComfyUI token private, use a virtual environment for the Python packages, inspect workflows before running them, and review the persistent model/workflow cache files for sensitive or stale information.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing unpinned packages can expose the environment to dependency changes or package-source issues.
The skill relies on manually installed, unpinned Python packages. This is expected for a Python ComfyUI client, but dependency provenance and versions are not locked by an install spec.
pip install websocket-client requests
Install dependencies from trusted package indexes, preferably in a virtual environment, and pin versions if reproducibility matters.
A ComfyUI token may allow the skill to submit jobs to the configured ComfyUI server.
The skill may use a ComfyUI authentication token when the target server requires it. That credential use is purpose-aligned, but the registry metadata lists no primary credential.
ComfyUI Token | Only if auth enabled | ComfyUI settings page
Use tokens only for trusted ComfyUI servers, avoid hardcoding them in shared files, and revoke or rotate tokens if exposed.
Prompts and uploaded media may be sent to whichever ComfyUI server is configured.
The skill can target remote ComfyUI servers, and its CLI accepts prompts plus image, audio, and video inputs for workflow execution.
Works with local ComfyUI, Windows Portable via WSL, or remote servers.
Use a trusted local or private ComfyUI endpoint for sensitive prompts or media, and verify the configured host before running workflows.
Local setup details, model names, paths, and workflow notes may remain in the skill files and influence later runs.
The skill explicitly tells the agent to persist learned model and workflow information for future sessions.
`MODELS_INVENTORY.md` and `WORKFLOWS_SUMMARY.md` serve as the agent's persistent knowledge base for the user's actual ComfyUI setup. Use them to cache learned information across sessions
Review these cache files periodically, avoid storing secrets or private prompts in them, and clear or correct stale entries.
The skill may start or rely on a local ComfyUI server process during execution.
The CLI reference implies the default behavior may try to auto-start ComfyUI unless this option is used. Starting ComfyUI is related to the skill’s purpose, but it can create a long-running local service.
--no-ensure Skip auto-starting ComfyUI
If you prefer to manage ComfyUI manually, start it yourself and use the documented option to avoid automatic startup behavior.
Incorrect overrides or skipped validation could run the wrong generation settings, consume resources, or produce unexpected outputs.
The skill exposes advanced controls that can directly alter workflow node inputs and skip validation. This is useful for ComfyUI power users, but it increases the chance of unintended workflow behavior.
--override JSON Node input overrides --no-validate Skip input validation
Use `--inspect` and `--dry-run` before advanced overrides, and avoid `--no-validate` unless you understand the workflow.