Is emasoudy/screen-monitor safe?

https://github.com/openclaw/skills/tree/main/skills/emasoudy/screen-monitor

88
SAFE

This screen monitoring skill functions as advertised, providing WebRTC-based screen sharing and analysis capabilities. While technically sound with no malicious behavior detected, it has inherent privacy risks due to desktop screenshot capabilities and network-accessible screen data storage.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (5)

MEDIUM Desktop Screenshot Capability -15

The skill can capture full desktop screenshots via ImageMagick's 'import -window root' command or macOS screencapture. This provides broad access to all visible screen content including sensitive information.

MEDIUM LAN-Accessible HTTP Server -7

The Node.js server runs on port 18795 with CORS enabled (*) and serves screen capture data. This makes screen content accessible to other devices on the local network.

LOW External HTTP Requests -5

The env-check.sh script may perform curl requests to external vision model endpoints, potentially exposing system information.

LOW Screen Data Persistence -20

Screenshots and metadata are stored in /tmp/ directory where they could potentially be accessed by other processes until cleanup.

INFO Temporary File Storage -5

Screen captures are stored in predictable paths (/tmp/clawdbot-screen-latest.png) which could be accessed by other processes.