VTL Image Analysis
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: vtl-image-analysis Version: 1.0.0 The skill is designed for compositional image analysis and re-prompt generation. The `SKILL.md` provides clear, constraining instructions to the AI agent, including a 'HARD STOP' refusal gate for unreliable measurements. The `vtl_probe.py` script performs standard image processing without suspicious file operations or network calls. The `vtl_regen.py` script includes a robust `safe_eval` function that whitelists AST nodes and restricts built-ins, effectively preventing arbitrary code execution from `operators.yaml` triggers. The prompt modifications in `operators.yaml` are aligned with the stated purpose of improving image composition and do not exhibit malicious intent. No evidence of data exfiltration, persistence, or unauthorized remote control was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the operator file were replaced with untrusted content, the script would evaluate its trigger expressions locally, although the current evaluator is designed to restrict what those expressions can do.
The regeneration script dynamically evaluates trigger expressions from the operator configuration. It attempts to constrain execution with an AST allowlist and no builtins, making it purpose-aligned but still worth noticing.
return bool(eval(compile(tree, "<trigger>", "eval"), {"__builtins__": {}}, allowed_names))Use the bundled operators.yaml or edits you trust; maintainers could further reduce risk by replacing eval with a small purpose-built expression interpreter.
Installing the dependencies manually may fetch whatever versions are current from the Python package index, which can affect reproducibility and supply-chain assurance.
The skill documents third-party Python dependencies without version pins, while the provided install specification says there is no formal install spec. These dependencies are expected for image processing, but package provenance and versions are not locked in the supplied artifacts.
packages: ["numpy", "opencv-python-headless", "scikit-image", "scipy", "pyyaml"]
Install in an isolated Python environment and prefer pinned, reviewed dependency versions if using this skill in a sensitive environment.