ClawHub

Desktop Control Custom

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate desktop-automation skill, but it gives broad control over the user's active desktop without consistently requiring approval or warning about sensitive data exposure.

Install only if you intentionally want an agent that can control your desktop. Keep failsafe enabled, use approval mode where possible, avoid running it while passwords, private documents, chats, admin tools, or sensitive clipboard data are present, and manually review any form submission, file modification, app launch, or public post before it happens.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (23)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented capability set materially exceeds the declared description: beyond mouse/keyboard/screen control, it also exposes window enumeration/activation, clipboard access, and examples that enable application launching and broader workflow automation. This matters because desktop-control skills are already highly privileged; understating scope reduces informed consent, weakens policy review, and can cause downstream agents or users to invoke data-accessing or system-manipulating features they did not expect.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill metadata says it provides mouse, keyboard, and screen automation, but it also reads from and writes to the clipboard, which expands it into data access and exfiltration territory. Clipboard contents often contain passwords, tokens, or copied sensitive text, so exposing this capability without clearly declaring and constraining it increases risk.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Window enumeration and activation go beyond the stated purpose and enable discovery of user activity and targeting of arbitrary applications. In combination with input automation, these methods can be used to focus sensitive windows and then inject keystrokes or capture data from them.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The agent launches applications by opening the Windows Run dialog and typing a command derived from task input or a fallback value. Because the code is designed for autonomous desktop control and lacks allowlisting, confirmation, or trust boundaries, it can be used to start arbitrary programs and chain that with subsequent keyboard/mouse automation, which materially increases abuse potential.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The demo accesses, modifies, verifies, and conditionally restores clipboard contents, but the skill metadata only describes mouse, keyboard, and screen control. That omission can mislead users or downstream systems about the real data-access scope of the skill, especially because clipboard contents may contain passwords, tokens, personal data, or other sensitive information.

Description-Behavior Mismatch

Low
Confidence
91% confidence
Finding
The code enumerates open window titles and inspects the active window, but the manifest description does not disclose these capabilities. While this behavior may be legitimate for desktop automation, window titles can reveal sensitive information such as document names, websites, project names, or user activity, so the undisclosed capability expands the skill's effective surveillance scope.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide explicitly states that the agent takes screenshots of results and later describes before/after screenshot capture for each step, but it does not warn that screens may contain sensitive information such as emails, documents, tokens, or personal data. In a desktop automation context, silent capture and storage of screen contents materially increases privacy and data leakage risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The examples include open/save/file operations and automated editing workflows without warning that the agent may modify, overwrite, move, or save user files incorrectly. Because this skill is designed for autonomous desktop control, users could reasonably trigger destructive file changes without understanding the risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide promotes using resume data for automated form filling but omits any discussion of handling sensitive personal information such as addresses, employment history, contact details, and other PII. In an autonomous agent, this can lead to unintended disclosure, incorrect submission, or entry of sensitive data into untrusted forms.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The social media automation example instructs the agent to post content to Instagram without warning that the action publishes data to a third-party platform and may make it public immediately. Autonomous posting can cause reputational harm, accidental disclosure, or policy violations if content or account context is misread.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The guide shows how to disable the failsafe and labels it as a fast mode, but it does not explain that removing emergency-stop protections can allow uncontrolled mouse and keyboard actions across the entire desktop. In a fully autonomous desktop agent, this significantly increases the chance of runaway actions, unintended clicks, destructive commands, or unsafe interaction with sensitive applications.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The quick reference includes automation sequences that can alter data or system state, such as form submission, file operations, launching programs, and bulk replace actions, but it does not clearly warn users about the risk of unintended clicks, keystrokes, data overwrites, or actions on the wrong window. In a desktop-control skill, these examples are contextually expected, but presenting them as copy-paste-ready snippets without explicit cautions increases the chance of accidental destructive use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explicitly shows how to disable failsafe protections using 'failsafe=False' and labels it as maximum speed, but does not immediately state that this removes an emergency stop and increases the risk of uncontrolled input. For a skill capable of mouse, keyboard, window, screenshot, and clipboard automation, removing safety checks can turn minor mistakes into rapid unintended actions affecting files, applications, or sensitive data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Screenshot capture and clipboard reading can collect highly sensitive information such as passwords, MFA codes, personal messages, documents, API keys, and proprietary data visible on screen or stored in the clipboard. Presenting these capabilities without a prominent privacy warning, consent expectations, retention guidance, or usage restrictions makes accidental or abusive data collection much more likely in a desktop-automation context.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The form-filling example normalizes automated password entry without any caution around secrets handling, storage, logging, shoulder-surfing via screenshots, or inadvertent submission into the wrong window. In a desktop-control skill, encouraging direct credential typing is especially risky because focus mistakes, screen capture, clipboard exposure, or action logging can leak credentials or send them to unintended targets.

Missing User Warnings

High
Confidence
98% confidence
Finding
The convenience API silently creates a global controller with require_approval=False, so callers can perform desktop actions immediately with no consent barrier. This makes dangerous capabilities easy to invoke accidentally or abusively, especially because the exported helpers simplify access to clicking, typing, hotkeys, and screenshots.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The scroll method performs direct desktop interaction without calling the approval check used by many other action methods. Even though scrolling may appear low risk, it can manipulate active applications, reveal hidden content, or assist in broader unauthorized UI automation chains.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
key_down and key_up change keyboard state without any approval check, allowing unprompted modifier holds and release sequences. These primitives are especially risky because they can be composed into stealthier actions than a simple hotkey, including drag-select, shortcut abuse, or interference with user input.

Missing User Warnings

High
Confidence
97% confidence
Finding
Screenshots capture potentially sensitive on-screen data such as messages, credentials, documents, and session details, and this method does so without prior warning or consent. Saving images to disk further increases exposure by creating durable artifacts that may be accessed later or exfiltrated.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Clipboard read/write functions access and modify sensitive user data without warning or confirmation. This can expose copied secrets or overwrite clipboard contents in ways that facilitate credential theft, command injection via paste, or user deception.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The class is explicitly built for autonomous task execution using desktop control, including keystroke injection and window manipulation, but there is no visible consent flow, safety prompt, or step-by-step confirmation before interacting with the host system. In a desktop automation context, this can cause unintended commands, data entry into the wrong window, or abuse by higher-level callers to perform harmful actions on the user's machine.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The agent captures screenshots before and after each step and stores them in the returned result structure without any privacy notice, redaction, minimization, or retention control. Screenshots may contain credentials, personal data, messages, documents, or other sensitive on-screen content, so automatic capture significantly expands privacy and data-exfiltration risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The application-launch routine uses system hotkeys to open the Run dialog, types a command, and presses Enter without any explicit warning or confirmation to the user. In this skill's context, that behavior is particularly dangerous because it combines OS-level command execution with automation primitives, enabling rapid unintended or unauthorized system interaction if invoked with unsafe inputs or from an untrusted workflow.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal