中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:17 hr ago Rescan
20 /100
cute-kitten-generator
Generate high-detail cute kitten/animal images using ComfyUI local workflow
A legitimate ComfyUI image-generation skill that makes a local curl POST to a ComfyUI server, with no malicious patterns found. Minor doc-to-code mismatch on declared vs. actual resource usage.
Skill Namecute-kitten-generator
Duration34.5s
Enginepi
Safe to install
No immediate action needed. Consider adding explicit declared permissions (network:WRITE, filesystem:READ) to SKILL.md for transparency.

Findings 2 items

Severity Finding Location
Low
Undeclared shell and network execution Doc Mismatch
SKILL.md declares all resources as NONE, yet the skill executes a curl POST to a local ComfyUI server (http://127.0.0.1:8188/prompt) and reads the JSON workflow file from disk. Both are functional requirements but undeclared.
curl -X POST -H "Content-Type: application/json" -d '{"prompt": '"$(cat cute_kitten_sofa.json)"'}' http://127.0.0.1:8188/prompt
→ Add explicit allowed-tools declaration: Read→filesystem:READ, Bash→network:WRITE+shell:WRITE. Document the local ComfyUI API call in the capability section.
 SKILL.md:16
Low
Hardcoded personal paths and phone number Doc Mismatch
SKILL.md contains hardcoded references to /Users/lobster/.openclaw/workspace and a phone number +17704012443. These are not security issues per se but represent personal information that may not be relevant to all users.
/Users/lobster/.openclaw/workspace/ComfyUI
→ Use environment variables or workspace-relative paths instead of hardcoded user directories.
 SKILL.md:22
ResourceDeclaredInferredStatusEvidence
Filesystem NONE READ ✓ Aligned SKILL.md:22 — cat cute_kitten_sofa.json reads workflow file; scripts/cute_kitten…
Network NONE WRITE ✓ Aligned SKILL.md:16 — curl -X POST http://127.0.0.1:8188/prompt
Shell NONE WRITE ✓ Aligned SKILL.md:22 — curl|bash usage via shell execution for API call
1 findings
🔗
Medium External URL 外部 URL
http://127.0.0.1:8188/prompt
SKILL.md:16

File Tree

2 files · 3.8 KB · 118 lines
Markdown 1f · 59L JSON 1f · 59L
├─ 📁 scripts
│ └─ 📋 cute_kitten_sofa.json JSON 59L · 2.1 KB
└─ 📝 SKILL.md Markdown 59L · 1.8 KB

Security Positives

✓ No base64, obfuscation, or eval() patterns found
✓ No credential harvesting or environment variable iteration
✓ No remote script execution (curl|bash pattern is absent — curl POSTs to a local server only)
✓ No sensitive file access (~/.ssh, ~/.aws, .env)
✓ No persistence mechanisms (no cron, startup hooks, or backdoors)
✓ No C2 communication or external data exfiltration
✓ JSON workflow is a standard ComfyUI pipeline with no embedded malicious payloads
✓ The ComfyUI server target is explicitly 127.0.0.1 (localhost), indicating local-only operation