Scrask
ReviewAudited by ClawScan on May 10, 2026.
Overview
Scrask is coherent with its stated purpose, but it can automatically send screenshots to AI providers and write entries into Google Calendar or Tasks without per-item confirmation.
Install this only if you want Telegram screenshots automatically parsed by external AI providers and, when confidence is high, added to Google Calendar or Tasks without review. Consider requiring confirmation for every save, using a dedicated calendar or task list, protecting the Google service-account key, and pinning dependencies before use.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A misread, ambiguous, or adversarial screenshot could create unwanted calendar events, reminders, or tasks without the user approving the exact fields first.
The skill automatically performs Calendar/Tasks writes based on model confidence rather than requiring confirmation for every item.
It saves it to the right place — no input needed from you ... High confidence (≥ 0.75) → saves silently, confirms in chat
Make auto-save opt-in, require confirmation before all Google writes by default, or set the confirmation threshold high enough that the user reviews each item before it is saved.
If the credentials are over-shared, misconfigured, or compromised, someone could create or change Calendar/Tasks data accessible through those credentials.
The code requests Google Calendar and Tasks authorization. That is expected for saving entries, but these credentials can mutate Google account data available to the service account.
GOOGLE_SCOPES = ["https://www.googleapis.com/auth/calendar", "https://www.googleapis.com/auth/tasks"]
Use a dedicated service account, share only the intended calendar/task resources where possible, protect the JSON key, and avoid storing raw keys in shared configuration files.
Private screenshot contents may be processed by Gemini and, in fallback mode, Anthropic Claude.
The screenshot image data is sent to an external vision provider for parsing; this is purpose-aligned, but screenshots may contain private messages, emails, or personal details.
"type": "image", "source": {"type": "base64", "media_type": media_type, "data": image_base64}Avoid sending sensitive screenshots unless you are comfortable with the configured AI provider processing them, and disable optional fallback providers if you do not want screenshots sent there.
Future dependency changes could alter behavior or introduce vulnerabilities even if the current static scan is clean.
The dependency versions are minimum bounds rather than pinned versions, so manual setup may install newer package versions that were not reviewed in these artifacts.
anthropic>=0.40.0; google-generativeai>=0.8.0; google-api-python-client>=2.0.0
Pin exact dependency versions or use a reviewed lockfile before installing in a sensitive environment.