ClawHub

Screenshot Tool

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate screenshot helper, but it needs review because it can capture sensitive screen contents and has unsafe or under-scoped capture behavior.

Review before installing. Use it only when you are comfortable with the visible screen being captured and saved locally, prefer narrow region or window captures, avoid custom output paths on Windows until the PowerShell path handling is fixed, and delete generated files that contain private information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
$graphics.Dispose()
$bitmap.Dispose()
'''
            subprocess.run(['powershell', '-Command', ps_script], check=True)
            success = True
        except:
            pass
Confidence
84% confidence
Finding
subprocess.run(['powershell', '-Command', ps_script], check=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill invokes shell commands to capture screenshots and recordings, but the manifest does not declare any permissions or execution boundaries. This creates a transparency and governance gap: an agent could activate screen-capture functionality without users or policy systems having an explicit permission signal for a highly sensitive capability.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The description is broad enough to trigger on routine requests involving screenshots or tutorials, without stating privacy constraints, confirmation requirements, or limits on what may be captured. In an agent setting, this increases the chance of overbroad activation that captures sensitive on-screen content such as credentials, messages, or confidential documents.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation provides operational examples for screen capture and recording but omits any warning about collecting sensitive information visible on the screen. Because screenshots and recordings can easily include secrets, personal data, internal documents, or other applications' contents, the lack of privacy guidance materially raises the risk of accidental data exposure.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal