Mac Cleaner

Security checks across malware telemetry and agentic risk

Overview

This Mac cleanup skill is purpose-aligned, but its documented safety preview can still run real deletions and the dashboard can trigger cleanup without enough safeguards.

Review and fix the dry-run behavior before installing or running this skill. Do not rely on `--dry-run` as written; leave the weekly cron disabled unless you explicitly want unattended cleanup, and only expose the Mission Control dashboard in a trusted local environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (4)

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The skill mandates a safety preview via `--dry-run`, but the provided `src/index.js` contains no argument parsing or alternate dry-run behavior, so invoking `node ... --dry-run` still executes real deletions. This creates a direct mismatch between documented safety guarantees and actual destructive behavior, increasing the chance of unintended data loss after a user believes they are only previewing changes.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The skill advertises a limited cleanup scope, but the implementation also permits deletion in broader locations such as `~/.openclaw`, Xcode-derived data paths, and home-directory folders matching a Unicode-slash pattern. This discrepancy is dangerous because users may consent to cache/log cleanup without realizing additional application and workspace artifacts can be removed.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The POST API route exposes on-demand execution of the cleaner script through a web endpoint, transforming a local maintenance script into a remotely triggerable destructive action within the Mission Control app context. If the dashboard is accessible to other local users, browser sessions, or lacks CSRF/auth protections, an attacker could trigger cleanup runs without informed user intent.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrases are broad, natural-language expressions like 'clean my mac' and 'I'm running out of space,' which can plausibly occur in ordinary conversation and unintentionally activate an installation or cleanup workflow. Because this skill performs persistent installation and deletion actions, accidental invocation materially raises safety risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal