Safety Report

OpenClaw ComfyUI

Name: OpenClaw ComfyUI
Rating: 5 (6 reviews)
Author: SalmonRK

Connect and control ComfyUI API efficiently using template mapping and auto-asset management for image generation and editing tasks.

1,005Downloads

9Installs

6Stars

3Versions

API Integration4,971 Image Processing1,559 Project Management1,537 DevOps & Infrastructure1,045

Security Analysis

high confidence

Clean0.04 risk

The skill's code, instructions, and requirements are consistent with its stated purpose (controlling a ComfyUI host), and there are no disproportionate credentials, hidden installs, or unrelated behaviors.

Feb 19, 20266 files1 concern

Purpose & Capabilityok

Name/description claim: connect to and control ComfyUI for image generation/editing. The repository contains workflow JSONs and a Python client that reads a ComfyUI host from workspace TOOLS.md and performs uploads, prompts, polling, and downloads — exactly what is needed to implement the described capability.

Instruction Scopenote

SKILL.md instructs the agent to run the bundled comfy_client.py with a template_id and prompt. The script reads workspace TOOLS.md for Host/Port, substitutes prompts into local workflow JSONs, uploads any provided local input files to the configured ComfyUI host, polls for results, and downloads generated files to outputs/comfy/. These actions are within scope for controlling a ComfyUI instance, but be aware the script will upload any input file you pass (allowed extensions include images, video, audio). Also the included workflow JSONs embed explicit/sexual prompt text — review content policy implications before use.

Install Mechanismok

Instruction-only skill with a visible Python script. No install spec or remote download/exec behavior is present. The only runtime dependency is the requests Python package (mentioned in README), which is reasonable for the task.

Credentialsok

The skill requests no environment variables or credentials. It reads a local TOOLS.md file to get the ComfyUI host/port; this is reasonable for a tool intended to contact a ComfyUI server. There are no unrelated credentials or config paths requested.

Persistence & Privilegeok

always:false and user-invocable:true. The skill does not alter other skills or system-wide configs. It runs only when invoked and only touches its own workflows and outputs directory.

Guidance

This skill appears to do what it claims, but check these before installing: 1) Verify the TOOLS.md host/port entry points to a trusted ComfyUI server (the script will upload local files to that host — if TOOLS.md points to an untrusted remote, sensitive files could be transmitted). 2) Only pass input files you intend to upload; the script will POST them to the configured host. 3) Inspect workflows/ for any embedded prompts (the included JSONs contain explicit sexual content and may violate usage policies). 4) Run the skill in a constrained environment (local or isolated VM/container) if you are unsure about the target ComfyUI host. 5) Ensure Python dependencies (requests) are installed from trusted sources. If you want additional assurance, review or run the Python script locally with a deliberately misconfigured or local-only TOOLS.md to observe behavior before enabling agent-autonomous calls.

Latest Release

v1.0.4

openclaw-comfyui 1.0.4 - manifest.json updated for new release version. - Minor internal updates in comfy_client.py; documentation, structure, and references kept consistent. - No changes to workflows or CLI usage.

Popular Skills

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Find Skills

@JimLiuxinghai · 529 stars

Proactive Agent

@halthelobster · 426 stars

Summarize

@summarize · 415 stars

Published by @SalmonRK on ClawHub