MacPilot : Control macOS using CLI

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent macOS automation documentation, but it gives agents very broad control over apps, dialogs, screen capture, clipboard history, and shell commands without enough user-confirmation guardrails.

Install only if you intend to give an agent desktop-level macOS control. Use it with explicit approvals for shell commands, file writes or overwrites, permission prompts, clipboard history, screenshots, recordings, and clicks in sensitive apps; stop and clear clipboard history when finished and revoke macOS permissions when no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (13)

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The front-matter description frames the skill as screenshot and OCR functionality, but the body also documents screen recording. That mismatch can cause operators or policy layers to underestimate the skill's ability to continuously capture visual content, including potentially sensitive information visible on screen over time.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill is presented as passive screenshot/OCR tooling, but it also includes OCR-driven click automation that can actively interact with applications. This expands the capability from observation to action, which materially changes risk because it can trigger UI operations, confirmations, or navigation without the description making that clear.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill advertises broad macOS automation via Accessibility APIs but does not clearly warn that it enables powerful interaction with applications, UI controls, files, clipboard, and system functions under high-privilege permissions. This omission can cause users or downstream agents to underestimate the safety and data-integrity risks of granting Accessibility and Screen Recording access.

Missing User Warnings

Low

Confidence: 80% confidence
Finding: The example prompts encourage browser navigation, screenshots, window manipulation, and file-saving actions without any caution that these operations can affect user data, disclose on-screen information, or trigger unintended side effects. In an agent-skill context, examples strongly shape behavior, so omission of warnings increases the chance of unsafe automation being treated as routine.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly enables broad system control, shell execution, UI automation, and application manipulation, but it does not instruct the agent to obtain user confirmation before performing potentially destructive or privacy-sensitive actions. In an automation skill, that omission materially increases the risk of unintended file changes, command execution, app control, or other side effects being performed without adequate safety gating.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: Clipboard history tracking can capture passwords, tokens, personal data, and other sensitive content copied from unrelated applications, yet the skill presents it as a normal capability without any privacy warning or consent requirement. Because this is a macOS automation skill with broad desktop access, normalizing background clipboard collection makes the privacy risk more severe in context.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The example workflow demonstrates creating and saving a file on the user's system without warning that it modifies persistent user data or may overwrite existing files depending on context. Even though the example is instructional, in an automation skill this can encourage agents to perform write operations without confirming destination, filename, or user intent.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly documents a workflow that proceeds through a save operation and then clicks a "Replace" confirmation without requiring any validation of the target path, overwrite status, or user intent. In an automation context, this can cause unintended destruction of existing files if the dialog is acting on the wrong location or filename.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The guidance recommends using `click-primary` to accept whatever default action a dialog presents, with fallback to labels like Allow, Yes, Continue, Open, and Save. Because many security-, privacy-, and destructive prompts use the primary button, this broad automation can approve unsafe actions without examining dialog content or user intent.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The documentation describes screenshot capture, OCR, and screen recording, including audio recording, without warning that these features may collect sensitive on-screen data, credentials, personal information, or conversations. In practice, such omissions increase the chance of accidental over-collection and unsafe use in environments containing confidential material.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The OCR click workflow enables automatic clicking based on recognized text but does not warn that misrecognition or ambiguous matches can trigger unintended actions such as accepting prompts, submitting forms, or dismissing security dialogs. Because the feature directly performs UI actions, even small OCR errors can have outsized consequences.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This skill explicitly enables reading, clicking, and modifying UI elements in arbitrary macOS applications, including fallback coordinate-based clicking, but provides no safety guidance, confirmation requirements, or scope restrictions. In an agent setting, that creates a meaningful risk of unintended or unauthorized actions in other apps, such as changing settings, submitting forms, or interacting with sensitive dialogs.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly documents disruptive actions such as closing windows and restoring layouts, but it does not warn that these operations can interrupt active work, overwrite a user's current workspace arrangement, or trigger loss of unsaved state in affected applications. In an agent setting, this omission increases the chance that an automated workflow will perform destructive UI actions without user confirmation or preflight checks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal