critical
suspicious.dynamic_code_execution
- Location
- scripts/scan.py:83
- Finding
- Dynamic code execution detected.
本地图片语义搜索
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dynamic_code_execution
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
Private image locations and embeddings may be persisted in the local image_db index and reused for later searches.
Why it was flagged
By default the skill recursively scans all detected drives for images and stores derived search data locally.
Skill content
SCAN_ROOTS = [] # 自动检测所有盘(全盘扫描)
Recommendation
Before first scan, edit SCAN_ROOTS and exclusions to limit indexing to intended folders; delete image_db if you no longer want the local index.
What this means
Installation and first run depend on external package/model sources, which can affect reproducibility and supply-chain trust.
Why it was flagged
The skill relies on external Python packages and a model download; versions are not pinned to exact releases.
Skill content
torch>=2.0.0 transformers>=4.30.0 faiss-cpu>=1.7.0 # 注意:首次运行会自动下载CLIP模型(约340MB)
Recommendation
Install in a virtual environment, use trusted package indexes, and consider pinning or reviewing dependency/model versions for sensitive machines.
What this means
If an attacker or untrusted process can replace image_db/image_list.pkl, running search or update could execute unintended code.
Why it was flagged
The search script deserializes a local pickle file from the image database; pickle can execute code if the file is maliciously modified.
Skill content
with open(IMAGE_LIST_FILE, 'rb') as f:
images = pickle.load(f)Recommendation
Do not share or accept image_db pickle files from others; keep the skill directory writable only by trusted users, or replace pickle storage with a safer format such as JSON.
Findings (3)
critical
suspicious.dynamic_code_execution
- Location
- scripts/search.py:54
- Finding
- Dynamic code execution detected.
critical
suspicious.dynamic_code_execution
- Location
- scripts/update.py:84
- Finding
- Dynamic code execution detected.