Skillv1.0.0

ClawScan security

CamScanner Image HD · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 30, 2026, 7:56 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions, required binaries, and behavior match its stated purpose (upload an image to CamScanner endpoints, apply HD processing, and download the result); the main risk is that it sends your files to a third-party server, so you should consider privacy before using it.
Guidance: This skill appears coherent and does what it says: it uploads your chosen image file to CamScanner's ai-tools.camscanner.com, runs an HD enhancement, and downloads the result. Before using it, decide whether you are comfortable uploading the image to a third-party service (avoid sensitive or private images unless you trust their policy), verify the endpoint/domain and privacy policy if that matters to you, test with non-sensitive images first, ensure curl and jq are installed, and confirm you understand where the output will be saved locally. If you need guarantees about retention, encryption, or authentication, ask the publisher for official API docs or require an authenticated API that you control.

Purpose & Capability: okName/description describe HD image enhancement and the SKILL.md only requires curl and jq and shows a three-step upload/enhance/download pipeline to ai-tools.camscanner.com — these requirements are proportionate and expected for the stated purpose.
Instruction Scope: noteInstructions explicitly upload a local file, call the enhancement endpoint, and download the result; they do not instruct reading unrelated files or environment variables. Important privacy behavior is documented in the skill: user images are sent to a third-party server for processing. That external upload is expected for this skill but has privacy implications.
Install Mechanism: okInstruction-only skill with no install spec or code files — nothing is written to disk by the skill itself beyond the outputs the user saves. This is low install risk.
Credentials: okNo environment variables or credentials are requested, which is proportionate. One notable point: the API examples show unauthenticated uploads (no API key or auth headers); this may be legitimate but means files are uploaded to the public endpoint — consider whether that is acceptable for sensitive images.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated persistence or modify other skills/config. Normal autonomous invocation is allowed (platform default).