Hitpaw Image Enhancer

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: it sends user-provided image or video URLs to HitPaw's API for enhancement and downloads the result.

Install only if you trust HitPaw with the media URLs you provide and with your HitPaw API key. Avoid sensitive, private, or regulated images and videos unless you have reviewed HitPaw's terms and are comfortable with third-party processing and public or presigned URL hosting. Expect possible API credit or coin usage, and note that the video CLI may fail until the packaging/conflict-marker issues are fixed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README promotes API-based image and video enhancement but does not clearly warn users that their media will be transmitted to and processed by HitPaw's third-party service. This can mislead users into sending sensitive or regulated content off-device without informed consent, creating privacy, confidentiality, and compliance risks.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation does not clearly warn that supplied media URLs and resulting content are sent to HitPaw's external service for processing. Users may unknowingly submit private or sensitive images/videos to a third party, creating privacy, confidentiality, and compliance risks, especially for personal media or regulated data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal