ClawHub

Xeonupscale

ReviewAudited by ClawScan on May 12, 2026.

Overview

Xeonupscale appears to be a straightforward ffmpeg video upscaler, but its installer depends on downloading an unpinned ffmpeg binary, so users should only install it from sources they trust.

Before installing, make sure you trust the GitHub repository and the BtbN ffmpeg build source. If possible, verify or pin the ffmpeg download. When using the skill, tell the agent the exact input video and desired output path, and prefer the provided upscale.sh wrapper over direct ffmpeg commands.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium
#ASI04: Agentic Supply Chain Vulnerabilities
What this means

If the remote ffmpeg release or download path were compromised, the installed binary would run with the same local file access as the agent/user.

Why it was flagged

The installer fetches a latest-release ffmpeg archive and makes the downloaded binaries executable without pinning a release or verifying a checksum/signature. This is expected for a bundled-ffmpeg video tool, but it means installation trusts the remote release at install time.

Skill content
URL="https://github.com/BtbN/FFmpeg-Builds/releases/download/latest/ffmpeg-master-latest-linux64-gpl.tar.xz" ... curl -fL --retry 3 -o "$TMP" "$URL" ... chmod +x "$FFMPEG_DIR"/ffmpeg "$FFMPEG_DIR"/ffprobe
Recommendation

Install only from trusted sources; prefer a pinned release and checksum verification, or use a system ffmpeg you already trust.

Low
#ASI02: Tool Misuse and Exploitation
What this means

A mistaken or overly broad invocation could process the wrong input or write an output file in an unintended location.

Why it was flagged

The skill permits direct invocation of the bundled ffmpeg with arbitrary arguments, not only the wrapper script. That is aligned with video conversion/upscaling, but it gives the agent broader read/write media-processing capability than the wrapper alone.

Skill content
allowed-tools: Bash(./upscale.sh *), Bash(bash upscale.sh *), Bash(./ffmpeg/ffmpeg *)
Recommendation

Use the wrapper command when possible and specify exact input and output paths before allowing the agent to run ffmpeg.