ClawHub

Screenshot Tool

Security checks across malware telemetry and agentic risk

Overview

This screenshot skill does what it claims, but its scripts can let crafted URLs or filenames run unintended local shell commands.

Review before installing or running. Use only trusted URLs and trusted filenames/paths, preferably in a sandbox or disposable environment, until the scripts are changed to call subprocess.run with argument lists and shell=False. Treat generated screenshots and converted images as sensitive, especially for logged-in pages or private documents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_command(cmd, timeout=120):
    """运行命令并返回结果"""
    try:
        result = subprocess.run(
            cmd,
            shell=True,
            capture_output=True,
Confidence
99% confidence
Finding
result = subprocess.run( cmd, shell=True, capture_output=True, text=True, timeout=timeout )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_command(cmd, timeout=120):
    """运行命令并返回结果"""
    try:
        result = subprocess.run(
            cmd,
            shell=True,
            capture_output=True,
Confidence
98% confidence
Finding
result = subprocess.run( cmd, shell=True, capture_output=True, text=True, timeout=timeout )

Context-Inappropriate Capability

Medium
Confidence
76% confidence
Finding
The skill exposes an undeclared capability to execute external programs, specifically LibreOffice via subprocess. While calling a local converter is expected for document rendering, the use of subprocess increases the attack surface and should be explicitly declared because it can execute host binaries and interact with the local environment.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill supports loading arbitrary URLs in a headless browser but does not warn users that doing so will contact remote servers, exposing the user's IP address, user agent, timing, and potentially other environmental details. In a screenshot tool, this context makes the issue more relevant because network access is core functionality and users may reasonably assume screenshotting is a local-only action.

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
- 需要将 PPT/Word/PDF 转为图片
  - 需要高清文档截图
metadata: {"clawdbot":{"emoji":"📸","requires":{"bins":["libreoffice","pdftoppm","agent-browser"]}}}
allowed-tools: Bash(screenshot-tool:*)
dependencies:
  - agent-browser: "网页截图功能必需,用于 headless 浏览器截图"
  - libreoffice: "文档转换功能必需,用于 PPT/Word/Excel 转 PDF"
Confidence
93% confidence
Finding
tool:*

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal