ClawHub

Screengrab

Security checks across malware telemetry and agentic risk

Overview

This is a transparent local macOS screenshot tool, but users should remember it can capture anything visible on screen.

Install only if you want an agent to capture your visible Mac screen. Close or hide sensitive windows first, prefer a specific display when possible, use --count for watch mode, and delete saved screenshots from /tmp or any custom output folder when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill invokes shell-accessible functionality (`python3 scripts/screengrab.py ...`) but does not declare permissions, which weakens governance and informed consent around a capability that can collect local system data. In an agent setting, undeclared shell access increases the chance the skill is used without appropriate review or policy enforcement.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This skill is specifically designed to capture whatever is currently visible on a user's macOS displays, which can include passwords, messages, internal documents, tokens, or other sensitive information. The description normalizes remote awareness and debugging use without a clear privacy warning or explicit-consent requirement, making accidental sensitive data collection significantly more likely.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This skill is explicitly designed to capture the current screen and supports unattended periodic watch mode, which can collect highly sensitive information such as credentials, messages, documents, and other visible user data. In an agent context, this is more dangerous because it enables broad visual surveillance of the host environment without any built-in consent check, privacy warning, redaction, retention limit, or access restriction.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal