ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Windows Host UI Bridge

v1.0.1

Bridge: Cross-OS UI automation for Windows Host

0· 88·0 current·0 all-time
byMinhao Wang@2059247714
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to operate from a Linux (WSL2) environment to control the Windows host and therefore needing /mnt/c/Windows/System32/cmd.exe is coherent. However, the SKILL metadata also lists 'node' as a required binary on the Linux side while the runtime template explicitly invokes the Windows-side npx (C:\PROGRA~1\nodejs\npx.cmd). Requiring a Linux 'node' binary appears unnecessary or inconsistent with the provided command template.
!
Instruction Scope
Instructions tell the agent to invoke the Windows cmd.exe to run a Windows npx command that pulls and runs @midscene/computer@1 with a user-provided prompt. The document prescribes sanitizing action_prompt by removing a small set of characters (;,&,|,$,>), but this list is incomplete (fails to address quotes, backticks, percent expansion, carets, newlines, Windows-specific escapes, etc.). Because the agent is instructed to execute commands on the Windows host, insufficient sanitization and reliance on a short blacklist meaningfully increases the risk of command injection or unintended host actions.
!
Install Mechanism
There is no install spec, but the runtime template uses npx to fetch and execute @midscene/computer@1 at runtime. That means arbitrary code will be downloaded from the npm registry (or whatever registry npx uses) and executed on the Windows host. The skill provides no provenance, checksum, or pinned release; dynamic npx execution of an unvetted package is high-risk and effectively functions as a runtime install of unreviewed code.
Credentials
The skill requests no environment variables or credentials, which is consistent with a UI-automation bridge. However, it implicitly requires access to the Windows host filesystem and command execution (/mnt/c/Windows/System32/cmd.exe). The absence of any declared Windows-side configuration or provenance for the remote package (and the unnecessary Linux 'node' requirement) is noteworthy but not strictly contradictory.
!
Persistence & Privilege
The skill is not marked 'always', but it allows normal autonomous invocation. Autonomous invocation combined with the ability to run arbitrary Windows commands and to npx-install and execute remote packages increases the potential blast radius. Autonomous invocation alone is normal, but here it amplifies the risk because runtime behavior includes remote code execution on the host.
What to consider before installing
What to consider before installing: - This skill instructs the agent to run Windows cmd.exe from WSL and to call npx to fetch and run the package @midscene/computer@1 on the Windows host. That means it will download and execute code on your Windows machine at runtime — treat that like installing software from an untrusted source. - The SKILL.md asks the agent to ‘sanitize’ prompts by removing a few characters, but the blacklist is incomplete. Malicious or malformed input could still trigger arbitrary commands on the host. - There is an explicit mismatch: the skill declares 'node' as a required binary on the Linux side but the runtime command uses a Windows npx path. Ask the author why a Linux node is required or whether the template is accurate. - If you consider using this skill: require the package author to provide provenance (repository, homepage, signed release, checksum), avoid runtime npx of unpinned packages, and prefer a vetted binary or an explicit install step you control. Limit autonomous invocation (require explicit user confirmation), test in an isolated disposable WSL/Windows environment, and audit the @midscene/computer package source before granting access. - If you cannot verify the remote package and the author’s intent, treat the skill as high-risk and avoid installing it on productive machines.

Like a lobster shell, security has layers — review code before you run it.

automationvk97enk3ff6761sb5my0dcc4q2h83p89klatestvk97c4bd1v53d7za4hskw0ch60h83phvhwindowsvk97enk3ff6761sb5my0dcc4q2h83p89kwsl2vk97enk3ff6761sb5my0dcc4q2h83p89k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

OSLinux
Bins/mnt/c/Windows/System32/cmd.exe, node

Comments