SaaS (Screenshot As A Service)

ReviewAudited by ClawScan on May 10, 2026.

Overview

This is a coherent instruction-only screenshot API skill, but users should be careful because URLs, optional cookies/headers, and screenshot content are sent to an external service.

This skill appears purpose-aligned for cloud screenshots. Before installing, understand that requests go to snap.llm.kaveenk.com; do not send private URLs, session cookies, bearer tokens, or sensitive page content unless you trust that service.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI07: Insecure Inter-Agent Communication

What this means

If used on private or logged-in pages, the external screenshot service may receive sensitive URLs, headers, cookies, and rendered page content.

Why it was flagged

The skill sends screenshot requests to an external provider and supports optional cookies and custom headers, which could include sensitive authentication material.

Skill content

Free screenshot API at `https://snap.llm.kaveenk.com` ... `cookies` ... `headers`

Recommendation

Use this only for URLs and authentication data you intentionally want to send to the provider; avoid browser session cookies or sensitive headers unless necessary.

Low

#ASI03: Identity and Privilege Abuse

What this means

The agent or user must manage a service credential; if exposed, someone else could use the screenshot quota or make requests under that key.

Why it was flagged

The skill requires a bearer API key for the screenshot service, even though the registry declares no primary credential.

Skill content

Register for an API key ... **IMPORTANT:** Store `key` securely. It cannot be recovered.

Recommendation

Store the API key like a secret and rotate or replace it if it is shared accidentally.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Users cannot confirm from the provided artifacts how the remote service handles URLs, cookies, headers, screenshots, or retention.

Why it was flagged

The skill markets the service as open source, but the supplied metadata does not provide a repository or homepage to verify the implementation.

Skill content

Source: unknown; Homepage: none

Recommendation

Review the provider’s source, documentation, and privacy practices before using it for sensitive or authenticated pages.