Back to skill
Skillv1.0.0
ClawScan security
Segment Anything · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 12:50 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill is internally consistent with its description: it runs a SAM-based segmentation script, installs the expected Python packages (and the segment_anything repo) and downloads official SAM checkpoints; it does not request unrelated credentials or access.
- Guidance
- This skill appears to be what it claims, but it will: (1) auto-install the segment_anything package from GitHub at runtime, and (2) download large model checkpoints (~375MB–2.5GB) to ~/.cache/sam. Before installing, ensure you have sufficient disk space and bandwidth and that you trust pulling code from the segment-anything GitHub repo. If you prefer tighter control, pre-install the dependencies and provide a local checkpoint via --checkpoint to avoid runtime pip installs and downloads. Run in an environment where large native packages (torch) are supported (and consider GPU/CUDA compatibility) or in an isolated sandbox if you want to limit risk.
Review Dimensions
- Purpose & Capability
- okThe name/description (SAM background removal) matches the code and declared dependencies: python3, pillow, numpy, torch, torchvision, and the segment_anything package. The script implements segmentation and saving transparent PNGs as advertised.
- Instruction Scope
- okSKILL.md simply instructs running scripts/segment.py and documents parameters. The runtime behavior (auto-installing segment_anything via pip and auto-downloading model checkpoints to ~/.cache/sam) is clearly described. The instructions do not read unrelated files, environment variables, or transmit data to unexpected endpoints.
- Install Mechanism
- noteInstall spec lists pillow, numpy, torch, torchvision (appropriate for SAM). The script may auto-run pip install git+https://github.com/facebookresearch/segment-anything.git if needed and downloads large model checkpoints from dl.fbaipublicfiles.com (Meta's public hosting). This is expected but involves dynamic code download and large network transfers (~375MB–2.5GB).
- Credentials
- okNo environment variables, credentials, or unrelated config paths are requested. The script writes checkpoints to ~/.cache/sam and saves outputs where the user specifies; those are proportionate to the function.
- Persistence & Privilege
- okalways is false and the skill does not modify other skills or system-wide settings. It stores model checkpoints in the user's cache directory only, which is reasonable for repeated use.