Back to skill

Security audit

Screen Monitor

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real screen-sharing skill, but it needs review because it handles sensitive screen images with weak access controls and limited privacy disclosure.

Review before installing. Use only on trusted networks and non-sensitive screens, prefer sharing a single window, stop sharing when finished, and assume screenshots may be stored locally under /tmp and analyzed by the configured agent/model. Avoid using it where passwords, private messages, customer data, admin consoles, or regulated information may appear.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill invokes shell commands to generate a share URL and analyze the screen, but it does not declare corresponding permissions or execution boundaries. Hidden or undeclared code-execution capability reduces transparency and makes it easier for a user or host system to authorize screen capture and local command execution without understanding the full trust implications.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is described as analyzing a shared screen feed, but when no portal frame exists it silently falls back to capturing the entire OS desktop. That expands access from an expected shared-session artifact to potentially all visible on-screen data, including unrelated apps, secrets, and personal content, creating a privacy and data-exfiltration risk beyond the declared behavior.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code invokes native full-screen capture tools (`import -window root` or `screencapture -x`) even though the stated purpose is shared-screen analysis. This grants broader collection capability than necessary and can expose sensitive local desktop contents that the user did not intend to share with the agent.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README instructs users to start browser-based screen sharing and ask questions about their screen, but it does not warn that sensitive on-screen content may be exposed to the skill, the local sharing endpoint, or the connected multimodal model. For a screen-analysis skill, omission of privacy and data-handling warnings increases the risk of accidental disclosure of credentials, personal data, internal documents, or other confidential information.

Vague Triggers

Low
Confidence
69% confidence
Finding
The skill description is broad and does not define when it should or should not be invoked, despite enabling screen viewing, analysis, and browser interaction. Weak activation boundaries increase the chance of overbroad or accidental use in contexts where screen capture or browser control is unnecessary or privacy-sensitive.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill enables screen capture, screenshot analysis, browser clicking, and typing, but it does not prominently warn about privacy exposure, sensitive data capture, or the consequences of remote interaction. Because screens commonly contain credentials, personal data, messages, and privileged application state, using these features without explicit warning and consent creates substantial risk of data leakage or unintended actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The endpoint accepts base64-encoded screen frames from any origin and writes them to predictable files in /tmp without authentication, consent checks, retention controls, or size validation. In a screen-sharing context, this is dangerous because highly sensitive on-screen data may be captured and persisted locally where other processes or users may access it, and the unauthenticated write path also enables abuse such as overwriting the stored screenshot or causing resource exhaustion.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script captures a screenshot and forwards its path for agent vision analysis without any meaningful user warning, consent flow, or notice about privacy exposure. In this context, the analyzed image may contain credentials, messages, documents, or other sensitive information, so lack of transparency materially increases the chance of unintended disclosure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The page captures the user's screen and silently uploads PNG frames to the backend every 3 seconds after sharing starts, but the UI does not clearly disclose that repeated image exfiltration is occurring or what data leaves the browser. In a screen-monitoring skill, this is especially sensitive because screens commonly contain secrets, personal data, internal documents, tokens, and messages; ongoing backend transmission materially increases privacy and data-exposure risk beyond local preview alone.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.