AI Video Upscale
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly aligned with video upscaling, but its shell script has unsafe handling of the optional job ID that could allow command execution.
Review this before installing. The video upscaling purpose is clear, but the script should be fixed to safely handle job IDs before use. Also verify downloaded Real-ESRGAN and Waifu2x binaries yourself and be aware that processed videos may remain in a local cache.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed job ID could potentially run local shell commands with the user's permissions.
The optional job_id argument is caller-controlled and is embedded into a shell trap without sanitization or safe quoting. A crafted value containing shell metacharacters could cause the cleanup trap to execute unintended commands when the script exits.
JOB_ID="${6:-}" ... TEMP_DIR=$(mktemp -d "/tmp/openclaw-upscale-${JOB_ID}-XXXXXX")
trap "rm -rf $TEMP_DIR" EXITSanitize job_id with a strict allowlist such as letters, numbers, underscore, dot, and dash; avoid embedding it directly in shell code; and replace the trap with a safe cleanup function such as cleanup(){ rm -rf -- "$TEMP_DIR"; }; trap cleanup EXIT.
If the downloaded release asset or network path were compromised, the user could install an unsafe executable.
The setup instructions download and execute third-party binary tools, which is expected for this skill, but the artifacts do not provide checksum or signature verification.
curl -L -o waifu2x.zip "https://github.com/nihui/waifu2x-ncnn-vulkan/releases/download/20220728/waifu2x-ncnn-vulkan-20220728-ubuntu.zip" unzip waifu2x.zip ... curl -L -o realesrgan.zip "https://github.com/xinntao/Real-ESRGAN/releases/download/v0.2.5.0/realesrgan-ncnn-vulkan-20220424-ubuntu.zip" unzip realesrgan.zip chmod +x realesrgan-ncnn-vulkan
Provide pinned checksums or signature verification steps, and advise users to download only from the official release pages.
Private videos may remain stored locally in the OpenClaw cache and could be reused or discovered later.
The script keeps a persistent local cached copy of the upscaled video output. This is local and purpose-aligned, but users may not realize private videos remain after the requested output is created.
CACHE_DIR="${VIDEO_UPSCALE_CACHE:-${HOME}/.openclaw/cache/video-upscale}" ... CACHED_OUTPUT="${CACHE_DIR}/${CACHE_KEY}.mp4" ... cp "$OUTPUT_PATH" "$CACHED_OUTPUT"Document the cache behavior clearly, add an easy cleanup option, and consider an opt-out or retention limit for cached video outputs.