Trust Assessment
screen-monitor received a trust score of 77/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 2 medium, and 0 low severity. Key findings include Potential Command Injection via VISION_URL, Unconditional OS Screenshot and Data Exfiltration, CORS Wildcard Allows Screenshot Manipulation/Prompt Injection.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unconditional OS Screenshot and Data Exfiltration The `screen-analyze.sh` script, if the WebRTC frame is not active, unconditionally captures a full screenshot of the user's entire operating system desktop. This screenshot, which can contain highly sensitive personal or confidential information, is then directly transmitted to the `clawdbot agent` for analysis. This occurs without explicit, granular user consent for each capture, posing a significant data exfiltration and privacy risk. Implement explicit user consent or confirmation before taking an OS-level screenshot. Provide options for the user to select specific windows or areas to capture, rather than the entire screen. Clearly inform the user about the scope of data being captured and its transmission to the LLM. | LLM | references/screen-analyze.sh:10 | |
| MEDIUM | Potential Command Injection via VISION_URL The `VISION_URL` variable, which can be sourced from `clawdbot config` or environment variables, is directly interpolated into a `curl` command without sufficient sanitization. If an attacker can manipulate `VISION_URL` to include shell metacharacters (e.g., `;`, `$(...)`, `` `...` ``), they could execute arbitrary commands on the host system. Validate `VISION_URL` to ensure it is a well-formed URL before use. Consider using a language-specific HTTP client (e.g., Node.js `http` module) instead of `curl` for network requests to avoid shell injection risks. Ensure `clawdbot config` values are properly sanitized or restricted. | LLM | references/env-check.sh:10 | |
| MEDIUM | CORS Wildcard Allows Screenshot Manipulation/Prompt Injection The `backend-endpoint.js` server uses `Access-Control-Allow-Origin: *`, allowing any website to make requests to the local server running on port 18795. A malicious website could exploit this by sending a POST request to `/api/screen-frame` to overwrite `/tmp/clawdbot-screen-latest.png` with an arbitrary image. If the agent then analyzes this manipulated image, it could lead to prompt injection (if the image contains instructions) or data manipulation, causing the agent to 'see' and act upon false information. Restrict `Access-Control-Allow-Origin` to `http://localhost:18795` or other specific trusted origins. Implement token-based authentication or other access controls for the `/api/screen-frame` endpoint to ensure only authorized sources can submit frames. | LLM | references/backend-endpoint.js:8 |
Scan History
Embed Code
[](https://skillshield.io/report/6e5be503c27e0efd)
Powered by SkillShield