ClawHub
Back to skill

Security audit

Windows Desktop Automation CLI

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Windows automation tool, but it needs review because its WeChat guides can send, post, delete, and export private data with weak safeguards.

Install only if you intentionally want an agent to control a live Windows desktop and WeChat session. Require explicit confirmation of the target window, recipient, message or file content, post, call, contact change, logout, deletion, and any export path before execution. Avoid use while sensitive apps or clipboard contents are present, and do not allow broad WeChat history, contact, or local file extraction unless that exact data access is authorized.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (36)

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The skill description narrows usage to desktop control on explicit user request, but the documented commands also enable broader surveillance and data-access capabilities such as clipboard read/write, screenshots, OCR, UI enumeration, and image matching. This mismatch is dangerous because an agent or reviewer may authorize the skill for simple UI automation while overlooking its ability to extract sensitive on-screen or clipboard data from unrelated applications.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is scoped as a Windows GUI automation CLI, but this section expands into direct filesystem copying of WeChat data, bypassing the stated UI-only boundary and enabling bulk extraction of local files. That makes the skill materially more dangerous because an agent can move from user-visible desktop actions to silent collection of chat files and videos from disk.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documented capability to copy files from WeChat storage directories is not justified by the skill's declared purpose of desktop automation and introduces unauthorized data-access functionality. In context, this broadens the attack surface from interactive GUI control to direct exfiltration of message attachments and videos from local storage.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill metadata limits intended use to explicit window control, mouse/keyboard simulation, and desktop app automation, but this file adds clipboard manipulation capabilities that are broader than that declared scope. Scope creep like this is dangerous because clipboard contents may include sensitive user data and file references, enabling unintended data access or staging of user actions outside what the manifest leads users to expect.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The get_text_from_clipboard method can read arbitrary clipboard text without any apparent restriction, which may expose passwords, tokens, copied personal data, or confidential business content. In the context of a skill advertised only for window, mouse, and keyboard control, undisclosed clipboard reading is especially risky because it creates a stealthy data-access channel users are unlikely to anticipate.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill metadata scopes this tool to desktop/window automation, but the implementation exposes independent clipboard read and write operations. Clipboard contents often include sensitive data such as passwords, tokens, copied documents, or PII, so this creates a broader data-access capability than users and policy may expect from the declared skill purpose.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The clipboard handler enables arbitrary copy-text, copy-files, and get-text operations without any additional authorization or binding to a specific automation context. In an agent setting, this can be abused to exfiltrate whatever the user last copied or to tamper with clipboard state, which is especially concerning because the skill description does not prominently disclose clipboard access.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The README advertises screenshot capture and text input capabilities without any visible warning about privacy exposure, unintended interaction with sensitive applications, or accidental modification of user data. In a desktop automation skill, these actions can capture secrets or send keystrokes to the wrong window, so the lack of user-facing safety guidance increases the chance of misuse or operator error.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The example implements unattended message sending in WeChat by detecting incoming messages and immediately typing and sending a generated reply, but it provides no user warning, consent gate, rate limit, recipient verification, or review step. In a desktop automation skill, this is risky because mistakes in window focus, message parsing, or reply generation can cause unauthorized or misleading messages to be sent to the wrong person at scale.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This section explicitly instructs the operator to enumerate the contact list and use UI snapshots to collect names and profile-related data, but provides no consent, privacy, or data-minimization guardrails. In a desktop automation skill, this enables silent harvesting of sensitive relationship data from a personal messaging app, which is privacy-impacting even if not directly code-execution related.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill describes opening a friend's profile, extracting profile text, and viewing mutual groups without any privacy notice or access-control considerations. This is dangerous because it operationalizes collection of third-party personal and social graph data from WeChat, which could be abused for surveillance, profiling, or unauthorized intelligence gathering.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
These steps automate adding contacts, typing identifiers, and sending verification text, which directly modifies the user's WeChat account state and initiates communication with external parties. Without an explicit warning or confirmation requirement, the skill could be used to send unwanted requests, spam contacts, or manipulate a user's account relationships through automation.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Automating review and approval of incoming friend verification requests changes who can access and interact with the user's account, yet the document omits any warning about this security boundary. This is more dangerous in context because accepting a new friend in a messaging platform can expose profile details, enable messaging, and expand attack surface for social engineering or data access.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The instructions explicitly automate sharing note content to WeChat Moments, a public or semi-public channel, without any warning, consent checkpoint, or discussion of privacy implications. In a desktop automation skill, this is risky because a user or downstream agent could trigger disclosure of sensitive note contents unintentionally at scale.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The instructions describe exporting WeChat files and videos and writing them to local destinations without any privacy warning, confirmation step, or notice that sensitive user data is being copied. Because WeChat content may include personal or confidential information, omission of these safeguards increases the risk of unnoticed data exposure or misuse.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill provides step-by-step automation to clear chat history and confirm deletion, but it includes no warning, confirmation requirement, or indication that this action is irreversible. In an automation context, destructive UI actions are higher risk because they can be executed quickly and at scale, causing silent data loss if invoked mistakenly or through prompt manipulation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill provides step-by-step instructions to send outbound WeChat messages and files, but it does not require any explicit confirmation, destination verification, or user-warning about modifying external data and contacting third parties. In an automation context, this can enable unintended spam, data exfiltration, or accidental delivery to the wrong recipient if invoked with ambiguous or malicious prompts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The chat history retrieval section instructs the agent to open and enumerate conversation records without warning that chat logs may contain sensitive personal, financial, or business information. In a desktop automation skill, this lowers the barrier to bulk access of private communications and could facilitate unauthorized collection or disclosure of sensitive data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill includes a destructive account action (logout) followed by immediate confirmation steps, but it does not require any explicit user confirmation or warning about session disruption. In a desktop automation skill, this is risky because an agent could execute the sequence directly and unexpectedly terminate the user's logged-in session, interrupt workflows, or cause loss of unsaved state.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation exposes clipboard read and write capabilities, including a `get-text` command that can retrieve arbitrary clipboard contents, without warning that clipboard data may contain passwords, tokens, personal data, or other sensitive material. In an agent skill context, this is risky because clipboard contents may be captured, displayed, logged, or transferred to other applications, increasing the chance of unintended data disclosure.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The test instructions document destructive actions such as closing windows and even force-terminating processes without prominently warning about unsaved work or data loss. In a desktop automation skill, these examples can normalize unsafe operational behavior and increase the chance an agent or operator uses them against the wrong application, causing denial of service or loss of user data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation encourages screenshot, OCR, UIA snapshot, and clipboard inspection without warning that these actions may capture secrets, personal data, or other sensitive on-screen information. Because this skill is specifically for Windows desktop automation, these collection features are more sensitive than in a generic CLI: they can directly expose contents of arbitrary application windows and the system clipboard.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The find_image function captures the contents of an arbitrary window via Win32API.capture_window_bgra and processes it for template matching, but this file contains no user-facing notice, consent check, or sensitivity guard around that screenshot operation. In a Windows desktop automation skill, window capture can expose sensitive on-screen data from emails, chats, documents, passwords, or other applications, so silent capture increases privacy and data-exposure risk even if the feature is intended for legitimate automation.

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Install with: pip install -r requirements-dev.txt

# Code quality
pylint>=2.17.0

# Type checking
mypy>=1.0.0
Confidence
95% confidence
Finding
pylint>=2.17.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pylint>=2.17.0

# Type checking
mypy>=1.0.0

# Testing
pytest>=7.0.0
Confidence
95% confidence
Finding
mypy>=1.0.0

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.