Windows Terminal Control
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: win-terminal Version: 1.0.0 The `win-terminal` skill, described in `SKILL.md`, allows arbitrary command execution on a Windows machine via PowerShell or Windows Terminal. This is a high-risk capability. While the documentation claims 'Input Sanitization,' it critically states 'Not a Sandbox: Commands run with your actual user permissions. The skill trusts command input.' This explicit trust in command input, combined with the ability to execute any CLI command, makes the skill highly vulnerable to command injection or misuse by a malicious agent/user, potentially leading to remote code execution and system compromise. There is no evidence of intentional malice, but the inherent risk and explicit trust in input classify it as suspicious.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, an agent could install packages, change files, run scripts, commit code, start services, or otherwise modify the local environment using the user's account.
This exposes broad shell and process-control authority rather than a bounded workflow, and the artifact does not specify mandatory user approval or command/path limits for high-impact actions.
Run Commands: Execute any command-line tool or script ... Execute PowerShell commands ... Operate in any directory you have access to ... Start background processes
Only install if you intentionally want to grant broad terminal authority. Add explicit user confirmation for state-changing commands, restrict working directories, prefer command allowlists, and log all executed commands.
Users may overestimate how safely commands are constrained and allow the agent to run risky commands under their real account.
The documentation makes strong safety claims while also admitting the skill is not sandboxed and trusts command input; with no implementation supplied, those safeguards are not reviewable.
Execute commands with dangerous patterns (sanitization blocks known attack vectors) ... Not a Sandbox: Commands run with your actual user permissions. The skill trusts command input.
Present the skill as a powerful unsandboxed terminal tool, avoid unsupported safety guarantees, and provide reviewable enforcement code if claiming sanitization or blocking.
The user cannot verify from this package how command execution, timeout, or sanitization behavior is actually implemented.
The documented helper script is referenced, but the supplied manifest contains only SKILL.md and no install spec or code, leaving the actual command runner and its provenance outside the reviewed artifacts.
run-command.ps1 -Command "git status"
Provide the helper script or declare it as an explicit prerequisite, include provenance/version information, and keep the registry metadata aligned with the required runtime.
Commands can access or modify anything the current Windows user can access.
Using the user's OS permissions is expected for a terminal-control skill, but it means command effects are not isolated from the user's files and environment.
User Permissions Only: Operates with your standard Windows user permissions ... Not a Sandbox: Commands run with your actual user permissions.
Run only in trusted project directories, avoid elevated shells, and require confirmation before commands that affect files, packages, credentials, or external accounts.
A started server or process could keep consuming resources or expose a local service longer than intended.
Background process support is disclosed and can be legitimate for development, but long-running processes may continue after the immediate agent task unless explicitly stopped.
Start background processes ... Run a dev server (non-blocking)
Require explicit user approval before starting background processes and document how to list and stop processes started by the skill.