capture-screen — agentic threat model
This agent skill presents high local risk due to its ability to execute arbitrary AppleScript, discover window IDs, and capture host screen contents, effectively acting as a potential vector for local privilege escalation, data exfiltration, and host desktop control if compromised.
OWASP AIVSS score rationale
| Autonomy of Action | 0.40 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.70 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.30 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.10 | |
| Non-Determinism | 0.30 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The listing does not specify the underlying foundation model used to drive this skill. If an unaligned or vulnerable model is used, it could be manipulated via prompt injection to capture sensitive windows or execute unauthorized AppleScript commands.
Not certain from the listing — No dedicated RAG or vector database is mentioned. However, the agent handles highly sensitive transient data by capturing raw screen images and window metadata, which could be leaked if not securely handled in memory.
The agent framework directly integrates with macOS APIs (CGWindowListCopyWindowInfo) and AppleScript. The primary threat is insecure tool integration, where malicious inputs could manipulate the AppleScript execution to target unauthorized applications or perform unintended UI interactions.
The agent runs directly on the host macOS desktop with CLI and AppleScript access. This presents a severe host compromise and privilege escalation risk if the execution environment is not strictly sandboxed or restricted via macOS TCC (Transparency, Consent, and Control) permissions.
Not certain from the listing — There is no mention of logging, guardrails, or observability mechanisms to monitor which windows are being targeted or to detect anomalous screen capture patterns.
Not certain from the listing — No identity, authorization policies, or compliance controls are described. The agent appears to run with the permissions of the host user, lacking fine-grained access control over which applications it can control.
As an open-source community agent skill, it is highly susceptible to supply chain risks or being integrated into larger, multi-agent workflows where a compromised orchestrator could abuse this skill to silently spy on the user's desktop.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).