ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Give eyes to your openclaw

v1.0.1

Give your agent eyes — capture screenshots, voice, and annotations from any screen, monitor, or device via MCP.

0· 465·3 current·3 all-time
by@wolverin0
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name, description, and declared requirements (python, ffmpeg, EYE2BYTE_MCP_TOKEN) align with a screen-capture/recording tool that runs locally and exposes an MCP endpoint. The primary credential (MCP token) is appropriate for remote SSE transport.
Instruction Scope
SKILL.md instructs local captures and local storage (~/.eye2byte/output/) which fits the stated purpose. However it explicitly allows using an external 'vision model API the user configured' and remote SSE transport; those configurations would cause captures and transcriptions to be sent off-machine. The file also states the token is stored in openclaw.json — reading/writing agent config is expected but worth noting.
Install Mechanism
The install spec uses a 'uv' package named eye2byte that creates an 'eye2byte' binary. SKILL.md references a GitHub repo and PyPI project, so installing a package is consistent, but any install that extracts or installs binaries writes code to disk — verify the package source (PyPI/GitHub) and integrity before installing.
Credentials
Only one required environment variable (EYE2BYTE_MCP_TOKEN) is listed and it matches the described remote transport use-case. No unrelated secrets or config paths are requested.
Persistence & Privilege
always is false and model invocation is disabled (skill is user-invocable only), so the skill cannot autonomously run. It stores its own outputs under a user path and the MCP token in openclaw.json as described — this is within expected behavior.
Assessment
This skill appears to do what it advertises, but check these things before installing: (1) Confirm the 'eye2byte' package source on PyPI/GitHub matches the SKILL.md links and review the repo/readme for maintainership and recent releases. (2) Be aware that although captures are claimed to be local, configuring a remote SSE transport or a third‑party vision API will send images/audio off the machine — only enable those if you trust the destination. (3) Treat EYE2BYTE_MCP_TOKEN like any secret; check where it's stored (openclaw.json) and rotate it if you stop using the service. (4) Because the installer creates a binary, consider installing in a controlled environment first (or review the package contents) if you run this on sensitive systems.

Like a lobster shell, security has layers — review code before you run it.

latestvk97at7v155s4a9nxwvb2q2311981y8cb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

👁 Clawdis
Binspython
Any binffmpeg
EnvEYE2BYTE_MCP_TOKEN
Primary envEYE2BYTE_MCP_TOKEN

Install

uv
Bins: eye2byte
uv tool install eye2byte

Comments