ClawHub
Back to skill

Security audit

Zuma Desktop Agent

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Zuma desktop automation skill, but it needs Review because it can capture and upload the screen and includes under-disclosed installer, registry, process-launch, and file-sync behavior.

Install only if you trust the ZumaRobot ecosystem and are comfortable with a skill that can start local desktop automation, affect social-account workflows, capture your full screen, and upload files or screenshots. Verify the installer source independently, avoid using download/install commands casually, close sensitive windows before screenshots, and prefer local-only screenshot use with upload disabled where supported.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (23)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill declares itself as a narrow command-mapping wrapper, yet the analyzed behavior indicates access to environment and network capabilities without explicit permission disclosure. This weakens user consent and reviewability, especially because networked automation, uploads, and environment inspection can expose local data or trigger external actions beyond what a user expects.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
This is a substantial description-behavior mismatch: the skill claims to only map user intent to `node zuma.js` parameters, but the observed behavior includes downloading/installing software, registry manipulation, process inspection, screenshot capture, file upload, and use of a hardcoded external image-upload API key. Such hidden capability expansion is dangerous because users and reviewers may authorize a benign-seeming mapper while actually granting a desktop automation and exfiltration tool broad access to the host and external services.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
This function uploads arbitrary image content to a third-party service (Imgbb), which is broader than the declared skill purpose of only mapping user intent to local `node zuma.js` arguments. In a desktop automation agent, this creates a real data-exfiltration path for screenshots, local files, or generated images without clear disclosure, consent, or policy controls.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The QClaw COS helper sends a local file path to an HTTP endpoint and triggers an upload workflow, which exceeds the advertised argument-mapping behavior. Even though the endpoint is localhost, it can still bridge local data into another service and is not disclosed to the user, making it a meaningful unintended publication capability.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code implements a general-purpose image hosting feature using Imgbb that is not justified by the stated desktop command-mapping purpose. This increases attack surface by enabling arbitrary outbound publication of local files or image buffers through the skill.

Intent-Code Divergence

Medium
Confidence
85% confidence
Finding
The module performs independent upload actions rather than merely translating user intent into command-line arguments, contradicting the documented behavior. In an agent context, capability drift like this is dangerous because users and reviewers may not expect autonomous network publication features.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata says it only maps user intent to CLI parameters, but the setup flow performs autonomous process discovery, registry lookup, executable launch, and install prompting behavior. In an agent skill context, this hidden expansion of capability is dangerous because a caller expecting simple argument mapping may instead trigger software lifecycle actions on the host.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The code downloads a ZIP from remote URLs, extracts it, locates an EXE, and writes its path into the registry, which is materially broader than desktop command mapping/RPA control. This creates a software supply-chain and arbitrary code execution risk, especially because the downloaded binary is trusted and installed without signature verification or strong integrity checks.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The screenshot function is presented as local capture, but it uploads captured images to a remote service by default unless the caller explicitly disables upload. Screenshots can contain credentials, messages, internal documents, and other sensitive desktop content, so silent exfiltration is a serious privacy and data-loss risk.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Automatic remote upload of screenshots is not justified by the stated role of an agent-side command mapper and creates a direct exfiltration path from the user's desktop. In the context of an automation skill, this is more dangerous because the captured screen may include content from unrelated applications and sessions.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Self-installation through PowerShell plus registry modification gives the skill host-level software deployment capability that is unjustified for a simple command-mapping tool. This can be abused to introduce or persist untrusted binaries, and the danger is amplified because the code fetches artifacts from the network and then installs them automatically.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The documented batch-stop command implies stopping only specified cron IDs, but the implementation calls `/cron/stopall` and ignores the provided IDs. In an automation environment, this can cause broad unauthorized disruption by terminating all scheduled jobs when the caller intended to stop only a subset.

Vague Triggers

Medium
Confidence
83% confidence
Finding
Overly broad help trigger phrases such as generic requests for help or capabilities can cause accidental activation of the skill in unrelated conversations. In a skill that can execute automation, capture screenshots, or operate third-party accounts, accidental routing increases the risk of unintended command execution and disclosure of sensitive information.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Broad triggers like '截图/截屏' and '日志/查看日志' are common natural-language phrases and may be invoked unintentionally during ordinary chat. Because screenshot and log operations can expose sensitive on-screen content or operational details, low-specificity activation materially raises privacy and security risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill automates posting to third-party social accounts but lacks a clear user warning about account-impacting actions. Without prominent disclosure and confirmation, users may trigger publication, scheduling, or account automation they did not fully understand, creating risks of unauthorized posting, account penalties, or reputational harm.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The screenshot feature captures the full screen and may transmit the resulting image, yet the skill text provides no privacy or sensitivity warning. Full-screen capture can collect credentials, private messages, regulated data, and other secrets, and this risk is amplified by the broader context indicating possible upload behavior.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The function transmits a local file path to a network-reachable service without any warning, confirmation, or transparency to the user. File paths can reveal sensitive directory structures, usernames, project names, and can trigger upload of unintended content through the downstream service.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The code hardcodes `conflictStrategy: 'overwrite'` without confirmation, enabling silent replacement of previously uploaded content. In automation workflows, silent overwrite can cause data loss, integrity issues, or accidental destruction of prior artifacts.

Missing User Warnings

High
Confidence
99% confidence
Finding
The screenshot command captures the full virtual screen and uploads it by default without clear warning or confirmation. Because screenshots often contain highly sensitive data, this is an undisclosed collection-and-exfiltration behavior that is especially risky in a desktop automation skill.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code silently overwrites `guide.md` in the skill directory using a path provided by the HTTP response or a file from the installed executable directory. Even if intended as synchronization, this is undisclosed remote-influenced file modification and can alter local guidance or downstream behavior without user awareness.

External Transmission

Medium
Category
Data Exfiltration
Content
}
    
    try {
        const response = await fetch('https://api.imgbb.com/1/upload', {
            method: 'POST',
            body: formData,
            headers: formData.getHeaders()
Confidence
91% confidence
Finding
fetch('https://api.imgbb.com/1/upload', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
}
*/
export async function uploadToQClawCOS(localFilePath) {
    const response = await fetch('http://localhost:19000/proxy/qclaw-cos/upload', {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify({
Confidence
80% confidence
Finding
fetch('http://localhost:19000/proxy/qclaw-cos/upload', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
}
    
    try {
        const response = await fetch('https://api.imgbb.com/1/upload', {
            method: 'POST',
            body: formData,
            headers: formData.getHeaders()
Confidence
91% confidence
Finding
https://api.imgbb.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.exposed_secret_literal

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
zuma.js:308

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
zuma.js:94

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
zuma.js:80