ClawHub

Desktop Agent Ops

Security checks across malware telemetry and agentic risk

Overview

This is a coherent desktop automation skill, but it needs Review because it can automatically set up dependencies and then control the user's live desktop with broad, implicit authority.

Install only if you intentionally want an agent to operate your live desktop. Review the first-run setup before running it, expect package installs and OS permission prompts, clear sensitive windows and clipboard contents, and require explicit confirmation before sending messages, changing settings, entering credentials, or performing irreversible actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if system == 'windows':
        # PowerShell Set-Clipboard is faster than clip.exe for Unicode
        try:
            subprocess.run(
                ['powershell', '-NoProfile', '-Command',
                 f'Set-Clipboard -Value "{text.replace(chr(34), "`" + chr(34))}"'],
                check=True, capture_output=True, timeout=5)
Confidence
83% confidence
Finding
subprocess.run( ['powershell', '-NoProfile', '-Command', f'Set-Clipboard -Value "{text.replace(chr(34), "`" + chr(34))}"'], check=True, cap

subprocess module call

Medium
Category
Dangerous Code Execution
Content
env = os.environ.copy()
    env["DESKTOP_AGENT_OPS_PYTHON"] = python_exec
    try:
        p = subprocess.run(
            [python_exec, str(smoke)],
            capture_output=True, text=True, timeout=30, env=env,
        )
Confidence
83% confidence
Finding
p = subprocess.run( [python_exec, str(smoke)], capture_output=True, text=True, timeout=30, env=env, )

Tainted flow: 'python_exec' from os.environ.get (line 535, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
env = os.environ.copy()
    env["DESKTOP_AGENT_OPS_PYTHON"] = python_exec
    try:
        p = subprocess.run(
            [python_exec, str(smoke)],
            capture_output=True, text=True, timeout=30, env=env,
        )
Confidence
95% confidence
Finding
p = subprocess.run( [python_exec, str(smoke)], capture_output=True, text=True, timeout=30, env=env, )

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The setup script installs system packages and performs network-backed dependency acquisition, which exceeds the manifest's stated desktop-control role and increases supply-chain and system-modification risk. In an agent skill, unexpected installation behavior is security-relevant because it expands trust boundaries and persistence on the host.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script downloads OCR traineddata files directly from GitHub at runtime using curl, which introduces a supply-chain risk not reflected in the skill description. Because this skill already seeks screen and automation permissions, any compromised download materially increases host compromise risk.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation text is extremely broad and covers generic desktop GUI control, screenshots, native apps, window focus, click/type flows, and multi-platform workflows. That increases the chance the skill is auto-selected for many ordinary requests, causing unnecessary exposure to screenshot capture, input injection, and shell-based setup even when a narrower or safer skill would suffice.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill mandates automatic setup, package installation, permission enablement, screenshot capture, and input automation as a first action, but does not require an explicit warning or consent flow for privacy-sensitive and system-modifying behavior. In context, this is especially dangerous because desktop screenshots, OCR, clipboard use, and synthetic input can expose secrets, alter user data, send messages, or change system configuration.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill enables implicit invocation without defining narrow trigger conditions, exclusions, or user-confirmation boundaries. Because this skill performs desktop GUI automation, automatic selection can cause unintended screen interaction, input injection, or operation in the wrong application context if the agent misclassifies a task.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
These examples explicitly instruct the agent to send chat messages and verify the outgoing bubble, but they do not require an explicit user confirmation or warning that the action will create external communications and modify data outside the local system. In a desktop automation skill, that omission is risky because the skill is designed for real GUI control and could cause unintended messages to be sent to real recipients if conversation verification is imperfect.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The system settings example tells the agent to navigate settings and change a control, including handling admin/password dialogs, but it does not warn about security, privacy, availability, or system-integrity consequences of changing OS settings. In this skill's context, those instructions are more dangerous because the agent can operate privileged GUI surfaces and may alter important configuration without adequate caution or user confirmation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script performs real pointer movement, clicking, and screenshot capture based on command-line parameters with no interactive confirmation, authorization gate, or visible user warning. In a desktop automation skill, this increases the chance of unintended UI interaction, accidental destructive actions, or capture of sensitive on-screen information if the agent targets the wrong element or context changes.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The type and insert-newline flows may copy arbitrary text into the system clipboard and paste it without preserving or disclosing clipboard changes. In a desktop-control skill, the clipboard can contain sensitive user data, so silent overwrite can leak or destroy user context and may expose secrets to other applications or clipboard sync services.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
Screenshots are written to disk, including full-screen captures by default, without any built-in retention limits, secure storage handling, or user-facing disclosure. In a desktop automation skill this is particularly sensitive because screenshots can capture credentials, personal data, messages, or other high-value on-screen secrets, and temporary files may persist longer than intended.

Missing User Warnings

High
Confidence
91% confidence
Finding
This diagnostic script automatically invokes a desktop automation helper to take a screenshot and move the mouse, which are sensitive GUI actions with real side effects. In the context of a desktop-control skill, this is more dangerous because running the doctor script can capture on-screen data and interfere with the user's active session without an explicit warning, confirmation, or safe dry-run mode.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The script can capture a window region and run OCR over it without any in-script notice, consent checkpoint, or content sensitivity gating. In a desktop automation skill, this increases the chance of unintentionally extracting secrets visible on screen, such as passwords, tokens, emails, or private documents, especially because the skill is explicitly designed to observe and control GUI applications.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script explicitly focuses another application window before performing OCR/template matching, which can change the user's desktop state and potentially expose or interact with unintended content without any in-file disclosure or consent check. In a desktop automation skill, that behavior is expected functionally, but it still creates a real security/privacy boundary issue because window focus can surface sensitive data and enable downstream mis-clicks or unintended actions in the wrong app.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal