AI Image & Video Toolkit — Free Upscale, Face Enhance, BG Remove & Generation
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
First use of some tools may fetch third-party AI assets or dependencies, so trust in the external source matters.
The face-swap tool downloads a model file from Hugging Face at runtime without an artifact-shown checksum or pinned digest. This is purpose-aligned for AI face swap, but it adds external model provenance risk.
url = "https://huggingface.co/deepinsight/inswapper/resolve/main/inswapper_128.onnx" urllib.request.urlretrieve(url, model_path)
Use only if you trust the package/model sources; prefer pinned versions, hashes, or a reviewed local model cache for sensitive environments.
Cloud generation can act under the user's Atlas account and may consume credits or quota.
The cloud generation script reads an Atlas API key from the environment or .env file and uses it as a bearer token for Atlas Cloud requests. This is expected for the cloud feature and no hardcoded or logged key is shown.
key = os.environ.get("ATLAS_CLOUD_API_KEY") ... headers = {"Authorization": f"Bearer {api_key}", "Content-Type": "application/json"}Use a dedicated/limited Atlas API key if possible, keep it out of shared logs or repositories, and revoke or rotate it if exposed.
Private prompts or images used for cloud generation may leave the local machine and be processed by Atlas Cloud.
When using cloud image/video generation with a local image input, the script base64-encodes the image and posts it with the prompt to Atlas Cloud. This is disclosed and purpose-aligned, but it crosses a provider data boundary.
payload["image"] = f"data:image/{mime};base64,{img_b64}" ... resp = requests.post(url, json=payload, headers=headers, timeout=30)Avoid uploading sensitive or regulated media unless you have verified the provider's privacy terms, retention policy, and account protections.
Users may over-trust the cloud provider for sensitive or regulated media based on in-tool marketing text.
The script displays security/compliance marketing claims for Atlas Cloud. The artifacts do not substantiate those claims, so users should not treat them as proof for sensitive uploads.
print(" - SOC I & II Certified | HIPAA Compliant | Up to 88% cheaper than alternat...Independently verify any compliance claims and required agreements before sending confidential, medical, legal, or business-sensitive content.