Back to skill
Skillv1.0.0
ClawScan security
Ntriq X402 Image Upscale Batch · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewApr 17, 2026, 12:01 AM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill appears to do what it claims (batch image upscaling) but its runtime instructions expect a payment token header that is not declared anywhere and will send your image URLs to an external service—verify payment, credentials, and privacy before use.
- Guidance
- This skill will send the image URLs you provide to https://x402.ntriq.co.kr and requires a payment token in the X-PAYMENT header (flat $30 USDC for up to 500 images). Before installing or using it: 1) Confirm how you obtain and store the X-PAYMENT token—avoid pasting long-lived payment tokens into chat; prefer per-request tokens or a documented wallet flow. 2) Verify the service reputation and terms (refunds, data retention, who can access uploaded images). 3) Don’t send sensitive images unless you trust the provider and have a clear privacy policy. 4) Test with a small, non-sensitive batch first. 5) Ask the publisher to update the skill metadata to explicitly declare the required payment credential and to document how results are returned and how tokens should be provisioned.
Review Dimensions
- Purpose & Capability
- concernName/description match the instructions: the skill calls an external x402 endpoint to upscale images. However, the SKILL.md requires an X-PAYMENT header (<x402-payment-header>) for a $30 USDC payment but the skill metadata does not declare any required environment variables, credentials, or a primary credential. Expecting a payment token without declaring it is an inconsistency.
- Instruction Scope
- noteInstructions are narrowly scoped to POSTing a JSON payload of image URLs to https://x402.ntriq.co.kr/image-upscale-batch with an X-PAYMENT header. This is within the stated purpose, but the doc does not explain how to obtain/provide the payment header, how results are returned/stored, nor any privacy/consent concerns about sending image URLs to a third-party server.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files; nothing is written to disk and no third-party packages are pulled in by the skill itself.
- Credentials
- concernThe SKILL.md expects a sensitive payment header (X-PAYMENT) to be provided at runtime but the skill does not declare it in requires.env or as a primary credential. While the header may be provided per-call, the missing declaration makes it unclear how credentials/tokens are to be protected or provided—this could lead users to paste a payment token into chat or otherwise expose a secret.
- Persistence & Privilege
- okThe skill does not request persistent presence (always: false) and does not indicate modifying agent/system settings. It does not require elevated privileges.