Segment Anything
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears to do the advertised local image background removal, but it may automatically install an unpinned GitHub dependency and download large model files on first use.
This skill looks appropriate for local SAM image background removal. Before installing, be aware that first use can install an unpinned GitHub dependency and download large model checkpoints; for stricter security, preinstall reviewed dependencies and provide a verified local checkpoint.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
First use may fetch and install code from GitHub, so the exact installed code could change over time.
If the SAM Python package is missing, the script installs it from GitHub at runtime without a pinned commit or version. This is purpose-aligned and disclosed, but it is still a supply-chain point users should notice.
os.system("pip install git+https://github.com/facebookresearch/segment-anything.git -q")Install a reviewed or pinned version of segment_anything yourself before use if reproducibility or supply-chain control matters.
The skill may download hundreds of MB to several GB of model data from an external host on first use.
The script automatically downloads SAM checkpoint files from fixed external URLs into ~/.cache/sam when they are not already present. This matches the documented model workflow, but the artifacts do not show checksum verification.
urllib.request.urlretrieve(url, path, reporthook=...)
Use the --checkpoint option with a locally verified model file if you need stronger control over downloaded model artifacts.