Skills runcomfy-cli
📦

runcomfy-cli

Low Risk ⚙️ External commands🌐 Network access📁 Filesystem access

Run Any AI Model from the Command Line with RunComfy CLI

Also available from: doany-ai,agentspace-so

Developers and creators need a single, scriptable interface for hundreds of AI image and video models. The RunComfy CLI provides one binary with one authentication to access every RunComfy model endpoint, from image generation to video editing and LoRA training.

Supports: Claude Codex Code(CC)
📊 69 Adequate
1

Download the skill ZIP

2

Upload in Claude

Go to Settings → Capabilities → Skills → Upload skill

3

Toggle on and start using

Test it

Using "runcomfy-cli". Install the runcomfy CLI on my machine

Expected outcome:

I will install the runcomfy CLI globally via npm. The CLI is now installed and ready to use. Run 'runcomfy login' to authenticate with your RunComfy account.

Using "runcomfy-cli". Generate an image of a purple cat at sunset

Expected outcome:

I will use the runcomfy CLI to generate that image. The request has been submitted and is now processing. Your image has been generated and saved to ./result.png in the current directory.

Using "runcomfy-cli". Check my runcomfy authentication status

Expected outcome:

Let me verify your authentication. You are signed in as you@example.com with a CLI token. Your account is ready to submit model requests.

Security Audit

Low Risk
v1 • 5/30/2026

Static analyzer detected 174 patterns across 1 file (272 lines) with an automated risk score of 100/100, suggesting NEEDS_AI review. After human evaluation, ALL 174 findings are confirmed FALSE POSITIVES. The flagged patterns are markdown code formatting backticks misidentified as shell execution, legitimate API and documentation URLs misidentified as suspicious network targets, documented token storage paths misidentified as hidden file access, and CLI subcommand names misidentified as system reconnaissance. The skill uses external_commands, network, and filesystem by design as a CLI wrapper for an AI model service. The SKILL.md includes a comprehensive Security and Privacy section with explicit warnings about installation safety, token protection, shell injection boundaries, indirect prompt injection, outbound endpoint allowlisting, and file size caps. Risk level set to LOW because the skill legitimately invokes external commands and makes network requests in its intended operation.

1
Files scanned
272
Lines analyzed
8
findings
1
Total audits
Low Risk Issues (5)
SKILL.md:6-271
Static analyzer false positives: markdown backticks flagged as command execution
The static analyzer flagged 123 instances of markdown code formatting backticks as 'Ruby/shell backtick execution'. The SKILL.md file is a documentation/skill-instruction file written entirely in markdown. Every backtick is either inline code formatting or a code fence delimiter. No actual shell command execution via backticks occurs in this file. The skill declares allowed-tools: Bash(runcomfy *) which restricts the agent to only running the runcomfy CLI binary.
SKILL.md:20SKILL.md:28SKILL.md:114SKILL.md:137-143
Static analyzer false positives: legitimate URLs flagged as suspicious network targets
The static analyzer flagged 40 instances of hardcoded URLs as suspicious. All URLs are legitimate references to runcomfy.com (official site and documentation), runcomfy.net (API endpoints for model serving), and skills.sh (skill marketplace). These URLs are the documented service endpoints the CLI tool interacts with. No data exfiltration or unexpected network targets are present.
SKILL.md:65SKILL.md:114SKILL.md:251
Static analyzer false positives: documented paths flagged as filesystem risks
The static analyzer flagged references to ~/.config/runcomfy/token.json as 'hidden file access' and '.../result.png' in an example output URL as 'path traversal'. These are documentation explaining where the CLI stores auth tokens (with mode 0600 permissions) and an ellipsis in an example URL. No actual path traversal or unauthorized file access exists.
SKILL.md:15SKILL.md:77SKILL.md:162-164
Static analyzer false positives: CLI subcommand names flagged as system reconnaissance
The static analyzer flagged references to 'runcomfy whoami' as system reconnaissance. The whoami subcommand is a standard CLI identity check that displays the authenticated user's email and token type. This is legitimate CLI functionality, not system enumeration.
SKILL.md:5SKILL.md:224
Static analyzer false positives: YAML block scalar and exit codes flagged as weak cryptography
The static analyzer flagged the YAML frontmatter block scalar indicator '>' on line 5 and the exit codes table on line 224 as 'weak cryptographic algorithm'. These are entirely unrelated to cryptography. Line 5 is a YAML folded block scalar syntax character and line 224 is a markdown table heading for CLI exit codes.

Risk Factors

⚙️ External commands (17)
SKILL.md:6 SKILL.md:26 SKILL.md:32-46 SKILL.md:48-56 SKILL.md:62-72 SKILL.md:76-81 SKILL.md:89-100 SKILL.md:104-121 SKILL.md:127-143 SKILL.md:147-170 SKILL.md:175-177 SKILL.md:183-188 SKILL.md:192-198 SKILL.md:202-209 SKILL.md:215-222 SKILL.md:240-253 SKILL.md:256-271
🌐 Network access (12)
SKILL.md:20 SKILL.md:28 SKILL.md:48 SKILL.md:56 SKILL.md:83 SKILL.md:114 SKILL.md:123 SKILL.md:130 SKILL.md:137-143 SKILL.md:177 SKILL.md:236 SKILL.md:265-271
📁 Filesystem access (3)
SKILL.md:65 SKILL.md:114 SKILL.md:251

Detected Patterns

External command execution via CLI binaryNetwork requests to RunComfy API endpointsFilesystem access for token storage and output downloads
Audited by: claude

Quality Score

38
Architecture
100
Maintainability
87
Content
50
Community
80
Security
83
Spec Compliance

What You Can Build

Generate AI Images and Videos on Demand

Creative professionals can generate, edit, and transform images and videos using AI models directly from the terminal without opening a browser or separate application.

Automate Batch Media Generation Pipelines

DevOps engineers can script batch processing of hundreds of prompts through shell loops, JSON parsing, and exit code handling for reliable production workflows.

Integrate AI Models into Development Workflows

AI developers can embed model calls into larger applications using JSON output mode, no-wait submission, and status polling for asynchronous job orchestration.

Try These Prompts

Install and Set Up the CLI 
Install the runcomfy CLI globally using npm and verify the installation by checking the version.
Generate an Image from a Text Prompt 
Use runcomfy to generate an image with the prompt 'a serene mountain lake at sunrise, photorealistic' using the GPT Image 2 model.
Batch Generate Images from a Prompt File 
Read prompts from prompts.txt and generate one image per prompt using runcomfy, saving each output to a timestamped directory under ./output/.
Submit a Long-Running Job and Poll Later 
Submit a video generation job with no-wait mode using runcomfy, capture the request ID, then poll the status periodically and download the result when it completes.

Best Practices

  • Always verify the CLI is installed and authenticated before running any model commands to avoid confusing error messages
  • Use --output json mode when scripting or piping results to jq for reliable programmatic parsing of response data
  • Set an explicit --timeout value for video generation and other long-running jobs to prevent indefinite waiting

Avoid

  • Never pipe remote install scripts into a shell without the user reviewing them first, even if they appear in official documentation
  • Never log or echo API tokens into prompts, command output, or files that could be committed to version control
  • Do not automatically resolve or use URLs the user did not explicitly provide for image reference or web search generation tasks

Frequently Asked Questions

What is the runcomfy CLI?
A command-line tool that provides one-binary access to hundreds of AI models on the RunComfy platform for image generation, video generation, editing, and more.
How do I authenticate with the CLI?
Run 'runcomfy login' for interactive browser-based authentication, or set the RUNCOMFY_TOKEN environment variable for CI and container environments.
What AI models are available through this CLI?
Browse the catalog at runcomfy.com/models to see all available models including FLUX, GPT Image, Nano Banana, Seedance, Kling, Veo, and many more.
How do I run a model and get the output?
Use 'runcomfy run <model_id> --input '<JSON body>'' to submit a request. The CLI handles submission, polling every 2 seconds, and downloads the result to your current directory.
Can I use this CLI in shell scripts or CI pipelines?
Yes. Use --output json for machine-readable output, --no-wait for asynchronous submission, and the documented exit codes to handle errors and retries.
Is my API token stored securely?
Yes. The token is saved to ~/.config/runcomfy/token.json with restrictive permissions (mode 0600, owner-only read and write). You can also use the RUNCOMFY_TOKEN environment variable instead.

Developer Details

License

MIT

Repository

https://github.com/runcomfy-com/skills/tree/main/runcomfy-cli/

Ref

main

File structure

📄 SKILL.md