Screen Monitor

This skill appears to implement what it claims, but please consider these risks before installing or running it: - Local server exposure: The backend sets Access-Control-Allow-Origin: '*' and serves on LAN IP/port 18795 by default. If you expose that port to your LAN, other LAN users (or malware on your network) could submit frames or interact with the endpoint without authentication. Prefer binding the server to localhost only or adding an authentication token. - Unauthenticated frame storage: Captured frames are written to /tmp/clawdbot-screen-latest.png (and metadata to /tmp). These files can be read by other local users/processes. If you have sensitive on-screen content, don't run this on a shared machine. - OS screenshots & system commands: The screen-analyze.sh script can invoke OS-level screenshot tools and will call 'clawdbot agent' to analyze images. Make sure you trust the skill source before letting it take screenshots or access the agent runtime. - Config and network access: env-check.sh reads Clawdbot configuration and may contact a vision model endpoint (default localhost:8080). Verify that this behavior is acceptable and that no sensitive endpoints will be queried or leaked. - Mitigations if you want to try it: run it on an isolated machine or VM, modify backend-endpoint.js to listen on 127.0.0.1 only and remove CORS '*', add simple token-based auth for /api/screen-frame, ensure /tmp files are removed after use and have restrictive permissions, and inspect/host the code yourself rather than fetching unknown builds. If you don't trust the author/repository, avoid installing it on machines with sensitive data. Given the lack of documented authentication and the fact this skill can capture and persist screen images, treat it as potentially sensitive and proceed only with the above safeguards.