png-lsb-skills
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill runs the bundled Python analyzer on a file path and may write a report if an output path is provided.
The skill operates by executing a local Python script. This is clearly disclosed and central to the PNG analysis purpose, but it is still local code execution.
python scripts/png_analyzer.py --png <图片路径> [--output <输出JSON路径>]
Run it only on PNG files you intend to analyze, and choose a safe output path if saving JSON results.
If Pillow must be installed or updated, the safety of that dependency depends on using a trusted package source and a maintained version.
The skill depends on the third-party Pillow image library. This is expected for PNG parsing, but it is a supply-chain component and the version is lower-bounded rather than pinned.
dependency:\n python:\n - Pillow>=9.0.0
Install Pillow from a trusted package index and consider pinning a known-good current version in controlled environments.