Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Desktop automation ultra
v2.0.0Automate comprehensive desktop tasks on Windows/macOS/Linux with safe, logged mouse, keyboard, OCR, image recognition, macro recording, and replay features.
⭐ 0· 311·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (desktop automation, macro recording, OCR, image recognition) matches the shipped code and docs. One inconsistency: the registry metadata lists no required binaries, but the skill clearly expects a Python runtime (calls 'python' from skill.js, includes Python modules and a requirements.txt) and the README mentions system dependencies (Tesseract, xclip/xsel on Linux). This is a metadata omission but does not indicate hidden behavior.
Instruction Scope
SKILL.md and the included scripts instruct only local actions (mouse/keyboard, screenshots, OCR, image matching, macro files, logs). The files and docs explicitly warn that the recorder captures ALL keyboard/mouse events and that macros are stored locally. There are no instructions to read unrelated system secrets or to send data to external endpoints.
Install Mechanism
No automated install spec is present (user must place the folder in the skills directory and run pip install -r requirements.txt). That is lower-risk than remote installers, but users should be aware the skill expects pip/OS packages and optional system binaries (Tesseract). The package list is standard for this functionality and all code is included locally — no suspicious external download URLs were provided.
Credentials
The skill does not request environment variables or external credentials. Its use of cryptography (for password-protected macros) is reasonable for the documented feature. No unrelated secrets or cloud credentials are required.
Persistence & Privilege
always:false and normal autonomous invocation are used. The skill writes logs and macro files under user/home paths (e.g., recorded_macro/, ~/.openclaw/...), which is expected for this kind of tool. It does not attempt to modify other skills or system-wide agent settings in the provided code.
Assessment
This skill appears to do what it says: local desktop automation and macro recording. Important things to consider before installing:
- Privacy: the recorder captures ALL keyboard and mouse events (including passwords and sensitive text) and stores macros as JSON — never record while entering secrets and store macro files securely.
- Metadata note: the registry metadata did not declare required binaries, but the skill requires Python in PATH and optional system packages (Tesseract, xclip/xsel) and Python packages from requirements.txt; ensure you have the appropriate runtime and review dependencies before installing.
- Autonomy: the agent can invoke the skill autonomously by default. If you do not want automated UI actions to run without manual approval, restrict the skill's permissions or require manual invocation.
- Local-only: the code and docs claim no network access; still inspect the shipped files yourself (they are included) for unexpected network calls before trusting them on a sensitive machine.
- Recommended: run the included tests (scripts/test_automation.py) in a safe environment, use dry_run=true for initial testing, and review/rotate any stored macros (or encrypt them) if they may contain sensitive data.skill.js:14
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk971wyr90x908sm85z07zdqjjd82zza8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.