Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Remote Install
v1.0.0Automates remote Windows software installation by detecting installers and controlling GUI to silently install .exe/.msi packages like Office, Adobe, and Chr...
⭐ 0· 46·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to automate Windows installer GUIs which matches the included Python script, but the code embeds a RustDeskController (connect/start/find RustDesk windows, accept remote ID/password) even though the SKILL.md and metadata do not declare RustDesk as a required integration or request any remote credentials. The registry access and GUI control are coherent for local installs, but the implicit remote-control capability is not documented in the description or requirements (no required binaries listed).
Instruction Scope
SKILL.md instructs scanning user folders, detecting .exe/.msi and automating clicks — which is coherent — but the runtime code also supports connecting to remote machines via RustDesk and logs the remote ID and password (logging.info includes credentials). The SKILL.md does not explain how remote IDs/passwords are obtained, handled, or required, and it claims 'Only run with user authorization' without specifying how credentials or consent are managed.
Install Mechanism
This is an instruction-only skill with a Python script and a requirements.txt listing standard packages (pyautogui, pywinauto, Pillow). There is no download from arbitrary URLs or extract/install of third-party code beyond pip-installable libraries. That said, these GUI automation packages require platform-level permissions but pose no unusual installer-hosting risk.
Credentials
The skill declares no environment variables or credentials but the code will interact with the Windows registry, filesystem (Desktop/Downloads/Documents), and may accept remote IDs/passwords for RustDesk. Critically, the code logs remote IDs and passwords to installer.log, which is disproportionate for the stated purpose and risks credential exposure. There are no justifications in SKILL.md for capturing or logging sensitive authentication material.
Persistence & Privilege
The skill is not marked always:true, does not modify other skills, and writes only a local installer.log and uses config.json in its directory. It does require GUI access and may need elevated permissions to install software, but it does not request persistent platform privileges in metadata.
What to consider before installing
This skill implements GUI automation for Windows installs, which can be useful, but it contains undeclared remote-control code (RustDeskController) and actively logs remote IDs and passwords to a local log file. Before using: (1) don't supply real credentials until you confirm how they are handled; (2) inspect/modify the code to remove or redact logging of sensitive inputs (avoid logging passwords/IDs); (3) run only on test or controlled machines with no sensitive data; (4) require explicit, documented consent and a secure method for passing remote credentials (avoid plaintext in logs/config); (5) consider requiring RustDesk be declared as a dependency and document the remote-connection workflow. If you are not comfortable reviewing or changing the script, treat this skill as risky and avoid installing it on production or personal machines.Like a lobster shell, security has layers — review code before you run it.
latestvk973a7np8n7c3dqxegbvt2eh2x83sfdy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.