Screenshot Tool
WarnAudited by ClawScan on May 10, 2026.
Overview
The tool mostly matches its screenshot purpose, but on Windows a crafted output filename could make the bundled script run unintended PowerShell commands.
This skill appears intended for local screenshots, but do not install or use it on Windows until the unsafe PowerShell output-path handling is fixed. If you use it on other platforms, remember that screenshots can include private information and should be reviewed before sharing.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anything visible on the screen could be captured in the saved image.
The script invokes local operating-system screenshot utilities. This is expected for a screenshot tool, but it gives the agent the ability to capture visible screen contents into files.
cmd = ['gnome-screenshot'] ... subprocess.run(cmd, check=True)
Use it only when you intend to capture the screen, close or hide sensitive windows first, and review screenshots before sharing them.
On Windows, a maliciously crafted output filename could cause arbitrary PowerShell commands to run under the user's account.
The user-controlled output path is directly inserted into a PowerShell command string on Windows. If the output value contains quotes or PowerShell syntax, it could execute unintended commands.
parser.add_argument('--output', help='Output file path') ... $bitmap.Save("{output}") ... subprocess.run(['powershell', '-Command', ps_script], check=True)Fix the script before use on Windows: validate and restrict output paths, escape PowerShell strings safely, or avoid building PowerShell code with unsanitized user input.