ClawHub

my skill

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about being a desktop automation tool, but it gives an agent broad control over local apps without enough safety scoping.

Install only if you intentionally want an agent to control your desktop. Verify the external agent-desktop package before installing it globally, avoid --trust unless you trust its install scripts, grant Accessibility only in a dedicated terminal if possible, keep sensitive apps closed, and require explicit approval before the agent reads clipboard/screenshots, acts on notifications, sends/submits data, changes settings, closes apps, or clicks destructive controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger language is very broad and includes generic desktop-GUI phrases like 'click button', 'fill form', and 'read UI', which can cause this high-impact automation skill to activate for ordinary requests that do not clearly require privileged desktop control. In context, this is more dangerous because the skill can observe screens, type into applications, control windows, access notifications, and interact with the clipboard, so over-triggering increases the chance of unintended data exposure or unsafe system actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill advertises sensitive capabilities—screenshots, clipboard read/write, text entry, app launching/closing, notification access, and UI inspection—without any prominent warning about privacy, consent, or system-impact boundaries. Because this is a desktop automation skill with OS accessibility privileges, the missing warning materially increases the risk that an agent uses these functions on sensitive applications or data without adequate user awareness and confirmation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation encourages taking screenshots and optionally writing them to disk, but it provides no warning that screenshots may capture passwords, personal data, tokens, internal documents, or other sensitive on-screen content. Returning screenshots as base64 in JSON or saving PNGs to arbitrary paths can also increase accidental data exposure through logs, agent memory, shared workspaces, or insecure file handling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documented clipboard-get, clipboard-set, and clipboard-clear commands enable reading and modifying potentially sensitive clipboard contents without any warning, consent guidance, or scope restriction. In a desktop automation skill, clipboard access can expose secrets such as passwords, API keys, tokens, or copied personal data, and clipboard modification can tamper with user workflows or facilitate unintended data exfiltration.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The notification commands allow listing notifications, dismissing them, and clicking action buttons such as Reply or Mark as Read, but the documentation does not warn that these operations can alter user-visible state or trigger side effects in third-party apps. In context, this makes the skill more dangerous because notification content may contain sensitive information and action buttons may send messages, acknowledge alerts, or hide important security notifications without the user's awareness.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly instructs users to grant macOS Accessibility permission, which gives broad cross-application visibility and control over UI elements. While this is necessary for the tool's function, the file does not clearly warn that granting the permission enables reading and manipulating other apps, including potentially sensitive content, so users may underestimate the privacy and system-impact risk.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The documented activation chain includes a coordinate-based click fallback, which can interact with screen locations without semantic verification of the target element. If UI layout changes, focus shifts, or overlays appear, the fallback could trigger unintended actions such as destructive clicks, navigation, or approval of dialogs.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal