Skillv1.0.1

ClawScan security

AI Image Upscaling · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 4, 2026, 11:14 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are internally consistent with an image‑upscaling integration that uploads user images to hiresolutionphotos.com and returns a download URL — there are no unexplained credentials, installs, or unrelated privileges requested.
Guidance: This skill appears to do what it says: it will upload an image you select to hiresolutionphotos.com and return a result link for the user to download. Before installing or using it, consider: (1) Privacy — your image is sent to an external service with no authentication; do not upload sensitive or private images without user consent. (2) Trustworthiness — verify hiresolutionphotos.com and its privacy/retention policy; the skill provides no guarantees about storage or sharing. (3) Workflow — the agent is explicitly instructed NOT to download the final binary; the user must open the returned result_url to get their file. (4) The added query parameter (&agent=true) may change server behavior or tracking; confirm its purpose with the provider if needed. If you want higher assurance, request an official API spec or a vetted client library (or an installable package hosted on a trusted release site) before using this skill in production.

Purpose & Capability: okThe name/description (AI image upscaling) match the instructions (POST an image to https://hiresolutionphotos.com/api/upscale and poll status). Required binary is only curl, which is appropriate for the provided curl examples.
Instruction Scope: noteInstructions are narrowly focused on uploading an image and polling for a result_url. Important privacy note: the skill directs the agent to upload users' local files to a third-party site (no auth), and to return the result URL to the user rather than downloading the image itself. This is coherent with the stated purpose but has privacy/consent implications and relies on the external site for delivery.
Install Mechanism: okThere is no install spec and no code files; the skill is instruction-only and relies on an existing curl binary. This is the lowest-risk install model.
Credentials: okThe skill requests no environment variables, credentials, or config paths. That is proportionate to a public API that claims 'no API key required.'
Persistence & Privilege: okThe skill is not forced-always, does not request persistent system modifications, and does not ask to alter other skills or system-wide settings.