Skillv1.0.4

ClawScan security

Hitpaw Image Enhancer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 27, 2026, 8:33 AM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill appears to be a legitimate HitPaw API client, but there are multiple manifest/instruction inconsistencies and packaging issues you should resolve before trusting or installing it.
Guidance: This skill mostly does what it claims — it sends image/video URLs and your HITPAW_API_KEY to a HitPaw API and downloads enhanced results. Before installing: 1) Verify the source repository (the SKILL.md points to a GitHub repo — confirm ownership and that code there matches the package). 2) Be aware the registry metadata is inconsistent: the skill actually requires HITPAW_API_KEY and a Node environment, and the SKILL.md expects a built dist/ directory that is missing from the package. 3) Don’t send sensitive media to the service unless you trust HitPaw and understand billing/retention; the client transmits your media URLs and API key to external endpoints. 4) If you proceed, run npm install/build in an isolated environment (or review and audit the code) so you control dependency installation. 5) Confirm the API base URL (https://api-base.hitpaw.com) is legitimate and matches official HitPaw docs; if anything looks off, don’t provide your API key.

Review Dimensions

Purpose & Capability: concernThe code and SKILL.md consistently implement an image/video enhancement client that requires a HITPAW_API_KEY and talks to HitPaw-like endpoints — this matches the stated purpose. However the registry metadata at the top of the submission claims "Required env vars: none" while SKILL.md and the code require HITPAW_API_KEY. That mismatch is an incoherence between what the skill claims to need and what it actually uses.
Instruction Scope: noteRuntime instructions and source are focused on submitting remote image/video URLs to the HitPaw API, polling for job completion, and downloading results. The code does not read unrelated system files or environment variables beyond HITPAW_API_KEY. Note: using this skill will send your media URLs (and the API key in headers) to external HitPaw endpoints — avoid sensitive images unless you trust the service and key usage.
Install Mechanism: concernThe package is labeled instruction-only (no install spec) but includes source files and a SKILL.md that references dist/cli.js as the entry. The manifest contains src/*.js/ts but there is no dist/ directory in the file list; the package.json build step must be run to create dist. There is no automatic install spec to install Node or dependencies; users would need to run npm install/build themselves. This inconsistency may lead to runtime failures or unexpected manual installation steps.
Credentials: noteThe only credential the code requires is HITPAW_API_KEY, which is proportionate to a hosted API client. The inconsistency is that the registry metadata declared no required env vars while SKILL.md marks HITPAW_API_KEY as required; that should be corrected. No unrelated secrets or extra credentials are requested.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills, and does not require system-wide configuration or elevated privileges. Autonomous invocation is allowed by default (normal for skills) but is not combined with other high-risk flags.