ClawHub

Control

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed desktop automation skill, but it grants broad control of the live desktop and sensitive screen/clipboard data without strong default approval boundaries.

Install only if you are comfortable giving this skill supervised control over your desktop. Keep failsafe enabled, use approval mode where possible, close sensitive windows, avoid letting it handle passwords or private documents, and treat screenshots, logs, and clipboard output as sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (19)

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill exposes clipboard read/write functions even though its stated purpose is desktop mouse, keyboard, and screen automation. Clipboard access can retrieve or overwrite sensitive data such as passwords, tokens, copied documents, or wallet addresses, expanding the data-access surface beyond the declared scope.

Context-Inappropriate Capability

Low
Confidence
71% confidence
Finding
Window enumeration and activation broaden the skill from input automation into environment discovery and application targeting. While not inherently malicious, listing open windows can reveal sensitive application names, document titles, and user activity, which may aid follow-on abuse.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The demo performs clipboard read and write operations even though the skill metadata only describes mouse, keyboard, and screen control. Clipboard contents frequently contain sensitive data such as passwords, tokens, and personal information, so this undocumented capability expands the effective privilege of the skill and can surprise users reviewing the manifest.

Description-Behavior Mismatch

Low
Confidence
84% confidence
Finding
The code enumerates and reports active and open windows, but the manifest description does not mention window-management capability. While less sensitive than clipboard or screen capture, window titles can reveal confidential information about documents, apps, websites, or workflows, so the undocumented behavior weakens informed consent and transparency.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide explicitly states the agent takes screenshots of task results and later describes before/after screenshots for each step, but it provides no warning that captured screens may contain emails, documents, credentials, personal data, or other sensitive information. In a desktop automation skill, autonomous screenshot collection materially increases privacy and data-exposure risk because screenshots may be stored, logged, or shared during debugging.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide promotes autonomous form filling, social media posting, PDF-to-Excel transfer, and job-application submission workflows without warning about accidental disclosure, unauthorized submission, or transmission of sensitive personal/business data. Because this skill performs real desktop actions, users may trigger irreversible external effects such as posting public content, submitting forms, or copying confidential data into the wrong destination.

Missing User Warnings

High
Confidence
97% confidence
Finding
The guide offers a mode with failsafe disabled and labels it as 'Fast mode' without clearly describing the risk of runaway clicks/keystrokes, unintended interactions, or loss of user control. In a desktop-control agent, removing a safety interlock can allow rapid uncontrolled actions across arbitrary applications, which can cause destructive changes, accidental submissions, or interfere with sensitive workflows.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This quick reference documents capabilities like screenshots, clipboard access, window enumeration, and desktop input automation without meaningful privacy, consent, or data-handling warnings. In a desktop-control skill, these examples normalize actions that can capture sensitive information or manipulate user applications, increasing the risk of misuse or accidental exposure.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The examples show potentially destructive or security-sensitive automation such as form submission, file selection/copy operations, launching applications via Win+R, search-and-replace, and disabling failsafe, but they do not clearly warn about unintended system changes or data loss. Because this skill directly controls mouse and keyboard input, even small mistakes or repurposing can cause unauthorized actions in whichever window is focused.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation promotes screenshot capture and clipboard access without prominent privacy warnings, even though those features can expose secrets such as passwords, tokens, personal messages, financial data, or confidential documents. In a desktop automation skill, this context makes the issue more serious because the whole environment is the user’s live desktop, where highly sensitive data is commonly present.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The examples demonstrate form submission, file selection/copying, drag-and-drop, and window-driven automation without clearly warning that these actions can modify data, submit information, or move/copy files unintentionally. In a desktop-control skill, example code strongly shapes user behavior, so unsafe examples can normalize running destructive actions without confirmation, target validation, or dry-run safeguards.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The screenshot function captures the full screen or a region and can save it to disk without any approval check or visible notice. This enables silent collection of sensitive on-screen data such as messages, credentials, financial information, or internal documents.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
Clipboard writes occur without confirmation, allowing the skill to silently replace user clipboard contents. This can facilitate deception or redirection attacks, such as swapping copied commands, URLs, account numbers, or cryptocurrency addresses before the user pastes them.

Missing User Warnings

High
Confidence
98% confidence
Finding
The global helper functions instantiate the controller through get_controller() with default require_approval=False, effectively bypassing the optional approval mechanism. In practice, this makes dangerous actions like clicking, typing, hotkeys, and screenshots available through convenience APIs with no user confirmation, increasing the chance of silent destructive or data-exfiltrating automation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The agent automatically captures screenshots before and after each step and stores them in the returned result object without any explicit consent, minimization, or warning to the user. Because desktop screenshots can contain passwords, emails, personal data, tokens, or unrelated application content, this creates a real privacy and data-exposure risk, especially for an autonomous desktop-control skill.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This step saves screenshots to disk using a provided filename with no user confirmation, warning, retention policy, or storage protections. Persisting screen captures increases the risk of later unauthorized access or accidental disclosure because sensitive visual data remains on the filesystem beyond the immediate task.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The agent opens the OS Run dialog and types a launch command derived from task parsing or fallback logic, causing programs to be executed without an explicit confirmation step. In a desktop automation context, autonomous application launch is more dangerous because it can trigger unintended software execution, interact with privileged tools, or be chained into broader system actions based on ambiguous or manipulated prompts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The screen capture demo saves screenshots to disk without a prominent warning that on-screen content may include sensitive information such as messages, credentials, or personal data. Persisting screenshots increases exposure because sensitive content remains stored in files after the demo completes.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The advanced automation demo reads the current clipboard, prints it, replaces it, and later restores it, but does not provide a clear privacy warning about accessing potentially sensitive clipboard data. Clipboard contents often contain secrets or personal information, and printing them to the console further increases the risk of disclosure.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal