ClawHub

Windows Host UI Bridge

Security checks across malware telemetry and agentic risk

Overview

This skill openly enables an agent in WSL to control the Windows desktop, but the control is broad and not clearly bounded by user confirmation or action limits.

Install only if you intentionally want an agent to operate your Windows desktop from WSL. Use it in a supervised, low-risk session, close sensitive windows before screenshots or actions, require explicit confirmation before clicks or changes, and verify the external npm package before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to invoke Windows host-side cmd.exe and npx from WSL to perform UI automation, but it does not provide a clear user-facing warning that actions will execute on the host OS and can manipulate host applications. This is dangerous because cross-OS bridge execution expands the trust boundary from the sandboxed Linux environment to the Windows host, enabling unintended clicks, keystrokes, and workflows on sensitive host software.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The example instructing the agent to take a screenshot of the main display can capture sensitive information visible on the Windows host, such as credentials, proprietary data, patient data, or other private content, yet no privacy warning or consent requirement is documented. In a cross-OS host-control skill, screenshots are especially sensitive because they exfiltrate real host display contents outside the nominal Linux environment.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal