Skillv1.0.0

ClawScan security

Ntriq X402 Image Upscale · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 17, 2026, 12:00 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is an instruction-only wrapper that sends images to an external x402 API (which matches the stated purpose) but contains minor inconsistencies around payment/authentication and a misleading hardware claim that should be clarified before use.
Guidance: This skill is essentially a shortcut showing how to call an external x402 image-upscale API — that matches the advertised capability. Before installing or using it: (1) Confirm how to obtain the required X-PAYMENT header/token (the SKILL.md does not declare or explain this). (2) Understand that images you send (URLs or base64) will be transmitted to x402.ntriq.co.kr and you will be charged per call; avoid sending sensitive images until you trust the service. (3) Verify the service identity and pricing on the homepage and test with non-sensitive samples. (4) If you expect the agent to supply the payment token automatically, require the skill to declare a specific env var or documented auth setup so you can manage the secret explicitly. If these clarifications are provided, the skill is coherent; otherwise proceed cautiously.

Review Dimensions

Purpose & Capability: noteThe SKILL.md describes exactly how to call an external image-upscale HTTP API (consistent with the name). However the description/metadata mentions 'Real-ESRGAN on Apple M4 GPU' which is an implementation detail not supported or required by the provided instructions — the skill does not install or require any Apple-specific binaries. Also the skill states a $0.10 USDC payment but declares no credential/env variable for supplying the required X-PAYMENT header.
Instruction Scope: noteRuntime instructions are limited to making a single POST to https://x402.ntriq.co.kr/image-upscale with an X-PAYMENT header and either image_url or image_base64. This stays within the stated purpose (upscaling). The instructions do, however, transmit user image data to an external service and do not explain how to obtain or securely provide the X-PAYMENT header.
Install Mechanism: okNo install spec and no code files: lowest-risk delivery model. Nothing is written to disk by the skill itself.
Credentials: concernThe API requires an X-PAYMENT header for payment but the skill declares no required environment variables or primary credential for this token/header. That is an inconsistency: the skill will need a payment token or header value at runtime (potentially secret), but does not declare or document how the agent should obtain/store it. Also sending images (including base64) to an external service can expose sensitive data — users should expect image transmission and potential charges.
Persistence & Privilege: okalways is false and there is no install step, no persistent agent modification, and no automatic model-disable setting. The skill does not request elevated or persistent privileges.