Back to skill
Skillv0.1.0
ClawScan security
Alibaba Super Resolution · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 10, 2026, 2:26 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and runtime instructions match its stated purpose (calling Alibaba Cloud's video super-resolution API); the only minor inconsistency is that the registry metadata did not declare the environment variables the skill actually needs.
- Guidance
- This skill appears to do what it says: call Alibaba Cloud's video super-resolution API. Before installing or running it, verify the source (repository/author) since the package owner is 'unknown' in the registry. Provide only an Alibaba RAM key with the minimal permissions required (videoenhan and OSS read/write if you use OSS), preferably a temporary/key with narrow scope. Review the requirements.txt and installed packages (alibabacloud_videoenhan SDK and requests) and consider installing in a virtualenv. Note the registry metadata omitted the required env vars — set ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET as described in SKILL.md. If you will upload sensitive videos, confirm you trust the destination (the code defaults to endpoint videoenhan.cn-shanghai.aliyuncs.com) and understand that uploaded videos will be sent to Alibaba Cloud and output URLs expire (24h).
Review Dimensions
- Purpose & Capability
- noteName/description claim to use Alibaba Cloud Super Resolution; the SKILL.md and the Python code both require ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET (and optionally OSS settings) which are appropriate and expected for this purpose. The registry metadata, however, lists no required environment variables — an omission in the metadata but not a functional mismatch.
- Instruction Scope
- okSKILL.md and the CLI code limit actions to uploading a local video (or using OSS), submitting jobs to Alibaba Cloud, polling job status, and downloading results. The instructions reference only the Alibaba credentials and optional OSS config; they do not instruct reading unrelated system files or sending data to unexpected endpoints. The code uses the Alibaba SDK and requests to download output URLs.
- Install Mechanism
- okThere is no automated install spec (instruction-only install) and dependencies are declared in requirements.txt (pip). This is low-risk; install-time actions are limited to installing Python packages from PyPI, and no arbitrary archive downloads or unknown URLs are used.
- Credentials
- noteRequested credentials (ALIBABA_CLOUD_ACCESS_KEY_ID, ALIBABA_CLOUD_ACCESS_KEY_SECRET) and optional OSS variables are proportionate to the skill's functionality. The SKILL.md explicitly asks for them. The only issue is the registry metadata failing to declare these required env vars — users should be aware the skill will attempt to read those environment variables at runtime.
- Persistence & Privilege
- okThe skill is not always-enabled, does not request elevated platform privileges, and does not attempt to modify other skills or global agent config. It runs as a CLI tool invoked by the user/agent and does not persist additional privileges.