clearshot

SUSPICIOUS. The core screenshot-analysis purpose is plausible, but the skill’s footprint exceeds that purpose with mandatory shell execution, mutable self-update via git pull, persistent local analytics/feedback logging, and outbound telemetry to a third-party Convex endpoint. This is not confirmed malware, but it is higher-risk than a normal UI-analysis skill due to unnecessary execution and data-flow scope.

This module is an installer/updater wrapper that clones/pulls a remote GitHub repository (tracking origin/main) into a local directory and immediately executes `bash ./setup`. While the wrapper itself shows no explicit malicious logic (no exfiltration/credential theft/persistence visible), it has a significant supply-chain integrity risk due to unpinned, unverified remote code execution. The symlink-handling path further increases risk by trusting the resolved symlink target if it contains a .git directory. Recommend pinning to a specific commit, verifying signatures/checksums, and hardening symlink/path validation before executing setup.

This module is a high-risk supply-chain bootstrapper: it downloads (clone/pull) a hardcoded remote Git repository and immediately executes its `./setup` script with no integrity/authenticity verification. While the snippet itself shows no explicit credential theft or data exfiltration logic, the mechanism creates a direct pathway for arbitrary code execution if the remote source is compromised. Strongly review/lock down the supply chain (pin to a commit, verify signatures/checksums, and avoid shell-based `execSync` where possible).