Macos Desktop Control

Security checks across malware telemetry and agentic risk

Overview

This macOS control skill does useful local automation, but it also includes under-disclosed cloud sync, cron scheduling, and raw command execution paths that deserve manual review before installation.

Install only if you are comfortable granting macOS automation permissions to a broad desktop-control tool. Avoid enabling CLAWHUB_API_KEY, setup_cron.sh, scheduled_task.sh, or ControlMemory sync unless you intentionally want operation history shared or run on a schedule. Review controlmemory.md before reusing stored operations, and do not pass untrusted text into the natural-language, clipboard, QQ, or stored-script execution paths.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (111)

os.system() or os exec-family call

High

Category: Dangerous Code Execution
Content: sync_script = self.script_dir / "clawhub_sync.py" if sync_script.exists(): os.system(f"python3 {sync_script}") else: print_color(Colors.YELLOW, "⚠️ 同步脚本不存在，跳过同步")
Confidence: 96% confidence
Finding: os.system(f"python3 {sync_script}")

subprocess module call

Medium

Category: Dangerous Code Execution
Content: print_color(Colors.BLUE, f" 联系人：{buddy}") print_color(Colors.BLUE, f" 消息：{message}") print("") subprocess.run(f"bash {SCRIPT_DIR}/../../../scripts/qq-send-auto.sh '{buddy}' '{message}'", shell=True) elif action == 'system_info': print_color(Colors.GREEN, "💻 系统信息:")
Confidence: 99% confidence
Finding: subprocess.run(f"bash {SCRIPT_DIR}/../../../scripts/qq-send-auto.sh '{buddy}' '{message}'", shell=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: elif action == 'clipboard_set': text = params.get('text', '') print_color(Colors.GREEN, f"📋 复制文字到剪贴板...") subprocess.run(f"bash {SCRIPT_DIR}/clipboard.sh set \"{text}\"", shell=True) elif action == 'mouse_position': print_color(Colors.GREEN, "🖱️ 鼠标位置:")
Confidence: 98% confidence
Finding: subprocess.run(f"bash {SCRIPT_DIR}/clipboard.sh set \"{text}\"", shell=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: import subprocess try: result = subprocess.run(script, shell=True, capture_output=True, text=True, timeout=30) if result.returncode == 0: print_color(Colors.GREEN, "✅ 操作成功！")
Confidence: 98% confidence
Finding: result = subprocess.run(script, shell=True, capture_output=True, text=True, timeout=30)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: import subprocess try: result = subprocess.run(script, shell=True, capture_output=True, text=True, timeout=30) if result.returncode == 0: print_color(Colors.GREEN, "✅ 测试通过！")
Confidence: 98% confidence
Finding: result = subprocess.run(script, shell=True, capture_output=True, text=True, timeout=30)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: natural_lang_script = os.path.join(script_dir, "natural_language.py") if os.path.exists(natural_lang_script): subprocess.run(["python3", natural_lang_script, text]) else: print_color(Colors.YELLOW, "⚠️ 找不到自然语言脚本") print(" 请确保 natural_language.py 在同一目录")
Confidence: 95% confidence
Finding: subprocess.run(["python3", natural_lang_script, text])

Tp4

High

Category: MCP Tool Poisoning
Confidence: 86% confidence
Finding: The documented purpose is much narrower than the detected broader behavior, including input automation, image recognition, scheduling, messaging, logging, and external network sync. Capability sprawl and undocumented behaviors materially increase risk because users may grant powerful macOS permissions for a 'desktop control' tool without realizing it can automate actions, exfiltrate data, or persist tasks beyond the stated scope.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The guide introduces cloud sync, API registration, upload/download workflows, and scheduled background synchronization that are outside the stated local-only macOS desktop-control scope. That scope expansion increases attack surface by normalizing networked data transfer and remote persistence behavior for a skill users may reasonably expect to remain local.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The changelog documents capabilities that materially expand the skill from basic macOS desktop control into image-driven UI automation and crontab-based persistence/scheduling. In a desktop-control skill, this broadening increases risk because it enables unattended actions and recurring execution that can affect user data and system behavior beyond immediate interactive control.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: Documenting crontab integration for adding, deleting, running, and clearing tasks introduces a persistence and automation mechanism that can execute commands repeatedly without ongoing user presence. In the context of a desktop-control skill, that is dangerous because it can be abused to schedule surveillance, destructive cleanup, or repeated automation affecting files, apps, and user sessions.

Context-Inappropriate Capability

Low

Confidence: 81% confidence
Finding: The documented OpenCV-based image recognition with automatic click behavior extends the skill from native desktop utilities into visual targeting and action execution. This is risky because image-based clicking can trigger unintended or unauthorized UI actions, especially in sensitive applications, and it falls outside the narrowly described native-tool control scope.

Description-Behavior Mismatch

Medium

Confidence: 83% confidence
Finding: The changelog documents adding remote synchronization and community sharing features that expand the skill from local desktop control into networked collection and distribution of operation records. In a macOS desktop-control skill, this scope expansion increases data-exposure risk because users may reasonably expect local-only handling of screenshots, commands, and app activity.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The described community sharing and remote record synchronization are not necessary for core desktop-control operations and create an avoidable channel for exporting user activity. Because the skill can handle sensitive commands and scripts, adding cloud/community sharing materially raises privacy and security risk beyond the stated purpose.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The plan expands a local macOS desktop-control skill into a telemetry and cloud-sharing system that records successful user operations and distributes them to other users. That materially changes the trust boundary and data exposure surface: commands, app usage patterns, scripts, timestamps, and potentially user-provided content may be persisted and transmitted off-device without being necessary for the core desktop-control function.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: Automatic synchronization to ClawHub is not required to execute local desktop control, yet it introduces continuous exfiltration of operation history to a remote service. Because recorded commands may contain sensitive natural-language inputs, app names, or action details, the sync channel can leak private activity data and create a new remote compromise surface.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: Scheduled hourly background execution via cron exceeds the expected interactive behavior of a desktop-control skill and can cause ongoing collection and transmission without an active user request. This reduces user visibility, makes data leakage easier to miss, and increases persistence of any bad sync behavior or future misuse.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The changelog describes capabilities that go beyond direct macOS desktop control: periodic synchronization, ControlMemory retrieval, and automatic reuse of prior operations. Expanding from explicit local desktop actions into background sync and memory-driven execution increases attack surface, creates data-flow risk, and can enable unintended actions from previously stored commands.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: Documented cron-based background sync introduces persistence and autonomous behavior not justified by the stated purpose of a desktop-control skill. Scheduled tasks can continue operating without active user awareness, potentially exfiltrating operation history or creating a stealthy background channel.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The documentation describes selecting and executing previously stored scripts based on similarity matching of user input. This is dangerous because semantic similarity is an unreliable authorization boundary: a loosely matched command could trigger an unintended stored script, including scripts with broader effects than the user's request.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The changelog explicitly introduces synchronization of operation records, usage counts, success rates, and notes to ClawHub, which expands the skill from local desktop control into networked data export. For a tool scoped as local macOS control, this creates an unnecessary data-flow boundary and could expose sensitive user activity or operational history outside the device.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: Community/cloud sync to ClawHub is not justified by the stated purpose of a local macOS desktop-control tool and introduces capability creep. Because the synced content includes usage-derived metadata, it can reveal user behavior patterns and internal operational details that are unrelated to core local execution.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The changelog documents community and memory-synchronization capabilities that materially expand the tool beyond local macOS desktop control into data collection, persistence, and sharing. In a desktop-control skill, this scope expansion increases privacy and supply-chain risk because user actions and contributed commands may be retained or synchronized without a clear need tied to the declared purpose.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: A review workflow that can test, verify, reject, and batch-process operations inside a desktop-control ecosystem introduces a trust pipeline for commands that may later be executed with local system privileges. In this context, automated testing and approval of community-submitted operations is dangerous because malicious or unsafe commands can be legitimized and propagated if validation is weak.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: Scheduled synchronization and ClawHub integration extend a local automation tool into a periodically networked system that can export or import operational data in the background. In the context of desktop control, this is more dangerous because stored commands, usage history, or future updates may be synchronized without ongoing user awareness, creating privacy, persistence, and remote-command supply-chain risks.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The guide expands the skill from desktop control into microphone-driven voice recognition and automatic command execution, which is a meaningful capability increase beyond the stated desktop-control scope. In a desktop-control skill, adding spoken-command execution raises the risk of unintended or unauthorized actions triggered by ambient audio, social engineering, or misrecognition.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal