screenshot

The skill presents a coherent tool for screenshot capture with optional uploads and PR-friendly output. However, there are multiple data-flow and supply-chain signals that warrant caution: (1) automatic installation of remote tooling (npm) during pre-flight increases trust surface and potential supply-chain risk; (2) built-in upload capabilities may exfiltrate captured content to external hosts unless disabled or consented; (3) prompts around bypass tokens for protected deployments introduce credential-handling UX that could be exploited in phishing-like scenarios. Overall, the footprint is coherent with the stated purpose but exhibits medium-risk patterns (data exfiltration potential, remote install flows) that justify treating it as SUSPICIOUS with a leaning toward BENIGN if strict per-run user consent and tight source controls are enforced.

This module is intended as a cross-platform screenshot helper but contains broken and mixed platform code fragments, undefined variables, and unsafe patterns: notably direct interpolation of user-controlled strings into code executed by subprocess.run (python -c). While I find no clear evidence of deliberate malware (no network exfiltration, no credentials, no reverse shell), the code presents a significant code/command injection risk and filesystem overwrite risk if used as-is. Treat the snippet as unsafe: do not run it unmodified. Recommended actions: remove mixed-platform fragments, avoid building interpreter code via f-strings with untrusted inputs, use safer APIs (native libraries or well-sanitized subprocess args), validate/sanitize output_path (reject path traversal/overwrites), and add strict error handling and tests. Reacquire an uncorrupted source or repair the broken functions before use.