Security audit

春登台桌面智能体

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Mac desktop automation tool, but it gives an agent broad control over your screen, keyboard, clipboard, browser, files, downloads, and shell commands without enough built-in safety gates.

Install only if you intentionally want a highly privileged Mac desktop-control agent and can supervise it closely. Review every shell command, file move, download, login/form action, and message before allowing it, and avoid using it with secrets or sensitive apps unless the skill is changed to require confirmations, constrain shell/file access, handle clipboard contents safely, and clean up screenshots.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (11)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: import json, sys, subprocess, os, tempfile def run_osascript(script): result = subprocess.run( ['osascript', '-e', script], capture_output=True, text=True, timeout=10 )
Confidence: 91% confidence
Finding: result = subprocess.run( ['osascript', '-e', script], capture_output=True, text=True, timeout=10 )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: elif tool == 'type_text': text = args.get('text', '').replace('"', '\\"') subprocess.run(['osascript', '-e', f'set the clipboard to "{text}"'], check=True) subprocess.run(['osascript', '-e', 'tell application "System Events" to keystroke "v" using command down'], check=True) return {"jsonrpc": "2.0", "result": {"content": [{"type": "text", "text": f"Typed: {text[:50]}"}], "isError": False}}
Confidence: 95% confidence
Finding: subprocess.run(['osascript', '-e', f'set the clipboard to "{text}"'], check=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: elif tool == 'set_clipboard': text = args.get('text', '').replace('"', '\\"') subprocess.run(['osascript', '-e', f'set the clipboard to "{text}"'], check=True) return {"jsonrpc": "2.0", "result": {"content": [{"type": "text", "text": "Clipboard set"}], "isError": False}} elif tool == 'shell':
Confidence: 95% confidence
Finding: subprocess.run(['osascript', '-e', f'set the clipboard to "{text}"'], check=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: elif tool == 'shell': cmd = args.get('command', '') timeout = args.get('timeout', 30) result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=timeout) return {"jsonrpc": "2.0", "result": {"content": [{"type": "text", "text": result.stdout[:500]}], "isError": False}} else:
Confidence: 99% confidence
Finding: result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=timeout)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill exposes powerful shell-based file and network operations (`mv`, `cp`, `mkdir`, `curl`) while declaring no explicit permissions or safety boundaries. In a desktop automation skill with broad triggers, this creates a real risk of silent file modification, data exfiltration, or unintended command execution without the platform surfacing adequate user consent or policy checks.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The declared skill is for desktop automation, but the exposed toolset includes a generic shell executor, which materially exceeds that scope. This mismatch makes the skill far more dangerous because any caller expecting GUI-only automation can instead obtain arbitrary command execution on the host.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger phrases are extremely broad and match many ordinary requests involving opening apps, filling forms, moving files, or 'automatically completing' tasks. Because this skill can control the browser, keyboard, mouse, files, and shell, unintended activation could grant a highly privileged automation workflow to benign-seeming prompts, increasing the chance of unsafe actions being taken without clear user intent.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill provides templates for moving files and downloading remote content using shell commands, but it does not require warning the user about local data changes or outbound network access. In this context, the omission is dangerous because the skill is designed for direct desktop execution, so users may unknowingly authorize overwrites, bulk file movement, or retrieval of untrusted external files.

Missing User Warnings

High

Confidence: 97% confidence
Finding: This code exposes silent shell execution with no user-facing warning, confirmation, or policy boundary. Because commands are arbitrary and run on the host, an attacker can perform destructive actions or steal data without any friction or visibility to the user.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The screenshot tool captures the user's screen and writes the image to disk without any disclosure about capture timing, contents, retention, or file location. In a desktop automation context, screenshots can contain credentials, personal messages, and other highly sensitive data.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This tool overwrites the clipboard and pastes its contents without warning the user, which can destroy user data in the clipboard and introduce unintended secrets or commands into the active application. In desktop automation, silent clipboard manipulation is particularly risky because it affects cross-application state.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal