Screen Monitor
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill’s screen-sharing purpose is clear, but it needs review because it can capture/control sensitive screen and browser content while exposing and retaining screen frames with weak boundaries.
Install only if you need screen sharing or browser-control assistance. Run it on trusted networks, avoid attaching sensitive logged-in tabs, confirm any clicks or typing manually, and clear /tmp/clawdbot-screen-latest.png after use if the skill does not do so automatically.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could perform actions in websites or accounts open in Chrome if the browser relay is attached.
The skill explicitly enables the agent to click/type in an attached Chrome tab, which may use the user’s logged-in browser session, but it does not define approval, domain, or action limits.
Full Control (Browser Relay) ... UI automation, and clicking/typing in tabs. ... browser action:click: Interact with elements (requires profile="chrome").
Use this mode only on trusted pages, require confirmation before clicks or typing, and avoid attaching tabs with sensitive or high-impact accounts unless needed.
Running analysis when the portal is inactive may still capture the whole desktop, including private information visible on screen.
If no portal frame exists, the analysis script falls back to taking a full OS screenshot. That is sensitive screen access and is not clearly gated by an explicit user approval step in the skill instructions.
echo "No portal active. Taking OS screenshot..." import -window root "$SCREENSHOT" ... screencapture -x "$SCREENSHOT"
Disable the OS screenshot fallback by default or require an explicit user confirmation before taking a desktop screenshot.
A local web page or network peer that can reach the service may overwrite what the agent analyzes, potentially confusing the agent or injecting misleading visual context.
The frame-ingest endpoint accepts POSTs from any browser origin and writes the submitted image as the latest screen frame, with no token, authentication, or origin binding shown.
res.setHeader('Access-Control-Allow-Origin', '*');
...
if (req.url === '/api/screen-frame' && req.method === 'POST') {
...
fs.writeFileSync(FRAME_PATH, buffer);Bind the backend to localhost unless remote access is explicitly needed, add a per-session token, restrict CORS, and validate request size and origin.
A previous screen frame may remain on disk and be analyzed later even after the user believes sharing has stopped.
The analysis script treats any existing frame file as an active screen-share frame, with no freshness, source, or deletion check.
FRAME_PATH="/tmp/clawdbot-screen-latest.png"
if [ -f "$FRAME_PATH" ]; then
echo "Found active WebRTC frame. Analyzing..."
SCREENSHOT="$FRAME_PATH"Delete or expire the frame when sharing stops, store it in a private per-session location, and check timestamps before reuse.