ClawHub

screen reviewer

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate screen-review tool, but it captures and OCRs full-screen activity, can persist at login, and may send screen-derived summaries to AI providers without strong upfront privacy controls.

Install only if you are comfortable with continuous local screen capture and OCR. Before use, review ~/.screen-reviewer/config.yaml, expand the app blacklist, avoid running it on shared/work-regulated screens without approval, and do not configure cloud AI providers unless you accept sending screen-derived summaries off-device. Use pause/stop/uninstall commands when monitoring is not needed, and manually manage or delete retained logs and reports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The code sends aggregated screen-derived activity data, including application names, window titles, OCR-derived text samples, and timelines, to external AI providers. Because this data originates from screenshots, it may contain highly sensitive personal or business information, and the transmission occurs without minimization, redaction, or an explicit consent gate in this code path.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script installs persistent macOS LaunchAgents that automatically start screenshot capture at login and schedule report generation daily. In the context of a screen-monitoring tool, persistence materially increases surveillance risk because monitoring continues beyond an interactive session and may be enabled without ongoing user awareness.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This skill explicitly instructs users to install a daemon, grant Screen Recording and Accessibility permissions, and generate AI reports from captured screenshots, but it does not present a clear privacy warning, consent flow, or data-handling disclosure. Because screenshots can contain credentials, messages, regulated data, and other sensitive content that may be sent to an external AI provider, the omission materially increases the risk of covert over-collection or unexpected transmission of private information.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation promotes automatic screenshot capture and points to a persistent on-disk screenshot directory, but it does not clearly warn users up front that continuous screen contents may be collected and stored locally. Screens frequently contain credentials, messages, documents, financial data, and other sensitive information, so omission of an explicit privacy warning can lead to uninformed consent and accidental exposure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The install and usage instructions describe generating logs and daily OCR/AI-based review reports without warning that these artifacts may contain extracted sensitive text from the user's screen. Because OCR and AI summaries can centralize and persist otherwise transient secrets or private content, users may unknowingly create highly sensitive reports and logs that are easier to search, share, or exfiltrate than raw screenshots.

Missing User Warnings

High
Confidence
95% confidence
Finding
The README promotes continuous screenshot capture, OCR extraction, long-term logging, and AI-generated reports, but it does not clearly warn users that highly sensitive on-screen content may be collected, retained, and potentially transmitted to third-party AI providers. In a screen-monitoring skill, this omission is especially dangerous because the data source inherently includes passwords, messages, financial information, work documents, and other confidential material that may appear outside the limited blacklist examples.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The trigger phrases are broad enough to match generic requests like productivity analysis, time tracking, activity logging, or 复盘, which could invoke this invasive skill when the user did not intend screen capture. Because the skill performs continuous screenshotting and OCR, over-broad activation materially increases the chance of unexpected sensitive data collection.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill description says it monitors computer activities via periodic screenshots and OCR, but it does not present a clear, prominent privacy warning about capturing whatever is visible on screen, including messages, credentials, documents, or regulated data. For a tool with persistent capture and text extraction, lack of explicit warning undermines informed consent and makes accidental privacy harm much more likely.

Missing User Warnings

High
Confidence
98% confidence
Finding
The configuration supports external AI providers for report generation, which means OCR text and derived activity data may be transmitted off-device, but the markdown does not clearly warn users about that transfer. This is especially dangerous because captured screen content can contain highly sensitive information, and users may assume processing is local unless told otherwise.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The default prompt is broadly phrased and can be triggered by common, non-security-specific requests about reviewing yesterday’s computer activity. In a screen-monitoring skill, overly generic invocation language increases the chance of accidental activation or unintended use on sensitive personal/work data, which can lead to privacy exposure and unauthorized analysis of screenshots and OCR output.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The installer unconditionally deletes any existing paths at ~/.cursor/skills/screen-reviewer and ~/.codex/skills/screen-reviewer before recreating them as symlinks. Even though the target path is fixed and user-scoped, this can destroy prior local content or customizations without confirmation, making it a real safety issue with data-loss impact rather than a direct code-execution vulnerability.

Missing User Warnings

High
Confidence
99% confidence
Finding
This loop continuously captures full-screen screenshots, extracts OCR text, records active application and window titles, and writes them to disk, but this file shows no user-facing notice, consent gate, or runtime indicator. In the context of a screen-monitoring skill, that creates a real privacy and surveillance risk because sensitive material such as messages, credentials, documents, and browsing activity can be collected silently and persistently.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The OpenAI and Claude call sites transmit detailed daily activity summaries to third-party services without any in-code notice, confirmation, or consent check. Given the source data includes OCR text and window titles derived from screenshots, silent transmission materially increases privacy and confidentiality risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The Ollama path also submits activity summaries over the network to a configured endpoint without any explicit user disclosure at the call site. While Ollama may be local in some deployments, the URL is configurable and could point to a remote host, so the code should not assume the transmission is safe or local.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal