VTL Image Analysis
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears to perform local image-composition analysis as described, with the main cautions being unpinned Python dependencies and a constrained dynamic expression evaluator for its operator rules.
This skill is reasonable to use for local analysis of images you choose to provide. Before installing, note that it relies on several Python packages and contains a constrained eval-based rule evaluator for configurable prompt operators; use trusted package sources and avoid untrusted modifications to operators.yaml.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the operator file were replaced with untrusted content, the script would evaluate its trigger expressions locally, although the current evaluator is designed to restrict what those expressions can do.
The regeneration script dynamically evaluates trigger expressions from the operator configuration. It attempts to constrain execution with an AST allowlist and no builtins, making it purpose-aligned but still worth noticing.
return bool(eval(compile(tree, "<trigger>", "eval"), {"__builtins__": {}}, allowed_names))Use the bundled operators.yaml or edits you trust; maintainers could further reduce risk by replacing eval with a small purpose-built expression interpreter.
Installing the dependencies manually may fetch whatever versions are current from the Python package index, which can affect reproducibility and supply-chain assurance.
The skill documents third-party Python dependencies without version pins, while the provided install specification says there is no formal install spec. These dependencies are expected for image processing, but package provenance and versions are not locked in the supplied artifacts.
packages: ["numpy", "opencv-python-headless", "scikit-image", "scipy", "pyyaml"]
Install in an isolated Python environment and prefer pinned, reviewed dependency versions if using this skill in a sensitive environment.