Skillv1.0.0

ClawScan security

my skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 7:56 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match a legitimate desktop-automation CLI, but metadata mismatches and packaging/installation ambiguities (plus the high power to read/control the desktop) warrant caution before installing or granting permissions.
Guidance: This skill appears to be documentation for a desktop automation CLI (agent-desktop) and can fully observe and control UI elements on macOS — a very powerful capability. Before installing or granting Accessibility permission: 1) verify the exact npm package name and publisher on the npm registry (inspect its source code and maintainers), 2) confirm the skill bundle's metadata (slug/owner) matches the published package or author—the bundle shows mismatched IDs and names which could indicate repackaging, 3) only grant Accessibility permission to a terminal you trust (do not add unknown terminal apps), 4) consider testing in an isolated machine or VM since the tool can read clipboard, notifications, and application UIs, and 5) if you are uncomfortable with autonomous agents controlling your desktop, disable autonomous invocation or restrict the skill until you can audit the installed CLI. If you want, provide the npm package URL or package.json from the CLI so I can help check the publisher and code surface for you.

Review Dimensions

Purpose & Capability: noteSKILL.md clearly documents a desktop automation CLI (agent-desktop) that reads and manipulates macOS accessibility trees — this aligns with the described purpose. However the registry metadata (skill name 'my skill', slug 'aoto', owner IDs) does not match the tool identity in SKILL.md ('agent-desktop'), indicating packaging/branding inconsistency that should be resolved.
Instruction Scope: concernThe runtime instructions tell the agent to snapshot UI trees, read element properties and clipboard, list/dismiss notifications, synthesize keyboard/mouse events, and perform coordinate clicks. Those actions are coherent for a desktop automation tool but are high-privilege: they let the agent read arbitrary on-screen content and control apps. The SKILL.md also instructs the user/agent to install the CLI and to grant Accessibility permission to the terminal — both expected but sensitive operations.
Install Mechanism: noteThere is no formal install spec in the skill bundle, but SKILL.md instructs installing via 'npm install -g agent-desktop' or 'bun install -g --trust agent-desktop'. That is a reasonable, common install path, but the registry package metadata does not provide a homepage/source or verify the npm package name, so you should verify the npm package and its publisher before running the global install.
Credentials: okThe skill declares no environment variables or credentials (appropriate). It does require granting macOS Accessibility permission to the terminal, which is necessary for the claimed functionality but also grants broad read/control over the desktop; this privilege is proportionate to the feature set but sensitive.
Persistence & Privilege: noteThe skill is not set to always:true. It can be invoked autonomously (platform default), which combined with desktop-control capabilities increases risk. Autonomous invocation alone is normal, but you should be aware that an agent using this skill could autonomously perform UI actions and read screen/clipboard data.