png-lsb-skills
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward local PNG analysis skill with no evidence of credential use, network activity, persistence, or destructive behavior.
This skill is reasonable to install if you need local PNG structure or LSB steganography analysis. Use it on files you choose, be careful with the optional output path, and install the Pillow dependency only from a trusted source.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill runs the bundled Python analyzer on a file path and may write a report if an output path is provided.
The skill operates by executing a local Python script. This is clearly disclosed and central to the PNG analysis purpose, but it is still local code execution.
python scripts/png_analyzer.py --png <图片路径> [--output <输出JSON路径>]
Run it only on PNG files you intend to analyze, and choose a safe output path if saving JSON results.
If Pillow must be installed or updated, the safety of that dependency depends on using a trusted package source and a maintained version.
The skill depends on the third-party Pillow image library. This is expected for PNG parsing, but it is a supply-chain component and the version is lower-bounded rather than pinned.
dependency:\n python:\n - Pillow>=9.0.0
Install Pillow from a trusted package index and consider pinning a known-good current version in controlled environments.