ollama-vision
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears consistent with its stated purpose of locally analyzing user-provided images with Ollama, with only disclosed dependency, model-download, and local image-processing considerations.
Before installing, confirm you trust the local Ollama setup and model source, expect a possible 2–3GB first-use model download, and avoid analyzing images that contain sensitive information unless local processing is acceptable.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
First use may download a large model and relies on local dependencies whose versions and provenance are not pinned in the provided artifacts.
The skill depends on external local software, a Python package, and a large model download without pinned versions or an install spec. This is disclosed and aligned with the skill purpose, but users should verify sources.
qwen3-vl:4b 模型必须已下载(或自动下载) ... Pillow 库(用于图片压缩:`pip install Pillow`) ... 首次使用 qwen3-vl:4b 时会自动下载模型(约 2-3GB)
Install Ollama and Python packages from trusted sources, verify the intended qwen3-vl:4b model, and be prepared for the 2–3GB model download.
Using the skill can run local Ollama commands and trigger a model pull if the model is missing.
The script invokes the local Ollama CLI to check and pull the model. The arguments are fixed and purpose-aligned, but this is still local tool authority that should be visible to users.
subprocess.run([ollama_path, "list"], ...); subprocess.run([ollama_path, "pull", model_name], ...)
Only use the skill on a machine where running Ollama commands and downloading the configured model are acceptable.
Private screenshots or photos may be processed by the local Ollama service and the extracted text may be returned to the agent/user.
The image content is encoded and sent to the local Ollama API/provider for analysis. The endpoint is local and expected for this skill, but image data leaves the skill process.
image_base64 = encode_image(processed_path) ... api_url = "http://localhost:11434/api/generate" ... "images": [image_base64]
Use the skill only with images you are comfortable processing locally, especially if they contain personal, financial, or confidential text.