ClawHub

desktop-operator

Security checks across malware telemetry and agentic risk

Overview

This desktop automation skill mostly matches its purpose, but it needs review because it can capture the whole desktop and close processes more broadly than users may expect.

Install only if you trust the publisher and specifically need local Electron desktop automation. Close sensitive windows before use, avoid production or account-sensitive apps unless you accept the risk, and prefer a revised version that captures only the target app, asks before saving screenshots, deletes or limits stored images, and terminates only the process it launched.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The skill claims to automate an Electron app via Puppeteer, but the screenshot implementation invokes the macOS screencapture utility on the entire desktop. That can capture unrelated applications, notifications, documents, passwords, or other sensitive host data outside the target app, creating a clear data over-collection risk inconsistent with the stated purpose.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Using pkill -f with the app name performs host-level process termination based on a broad pattern match rather than the specific spawned process. This can kill unrelated processes whose command line contains the same string, causing denial of service or unintended disruption beyond the skill's UI automation scope.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly advertises opening Electron apps, locating UI elements, clicking them, and taking screenshots, but it does not warn that these actions may expose sensitive application data, trigger state-changing operations, or capture private content visible in the app. In a desktop automation skill, omission of these safety and privacy caveats increases the risk of accidental misuse against real user data and production applications.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill can launch a local desktop Electron app, control its UI, and capture a screenshot of its contents, but the description does not clearly warn users about these sensitive actions. This increases the risk of unexpected interaction with local applications and disclosure of sensitive on-screen data, especially because screenshots may capture account data, internal tools, or personal information.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill silently writes screenshots to disk without any user-facing warning, confirmation, or clear retention policy. Because the screenshot is of the whole desktop, this can persist sensitive visual data locally in a predictable directory, increasing privacy and exposure risk if the files are later accessed by other software or users.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill launches an application in detached mode and later terminates processes without explicit user warning or confirmation. In a desktop automation context this is risky because it changes host state, can interrupt user workflows, and when combined with remote debugging enables broader control over a local app than the description signals.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal