ClawHub

MacOS Desktop Control

Security checks across malware telemetry and agentic risk

Overview

This skill broadly does what it says, but it needs Review because its Mac desktop-control powers include unvalidated AppleScript inputs that could run unintended automation.

Install only if you intentionally want supervised macOS desktop automation. Grant Screen Recording and Accessibility only to a trusted runtime, avoid passing untrusted app names or bundle paths until the AppleScript inputs are escaped or allowlisted, avoid pasting secrets, and clean /tmp/macos_desktop_control after sensitive sessions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_osascript(lines: List[str]) -> str:
    proc = subprocess.run(
        ["osascript", *sum([["-e", line] for line in lines], [])],
        check=True,
        capture_output=True,
Confidence
95% confidence
Finding
proc = subprocess.run( ["osascript", *sum([["-e", line] for line in lines], [])], check=True, capture_output=True, text=True, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if args.action == 'open':
        if args.path:
            subprocess.run(['open', args.path], check=True)
            emit(build_result('open', path=args.path, launch='open-path'), args.json_pretty)
            return
        if not args.app:
Confidence
84% confidence
Finding
subprocess.run(['open', args.path], check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_osascript(lines: List[str]) -> str:
    proc = subprocess.run(
        ["osascript", *sum([["-e", line] for line in lines], [])],
        check=True,
        capture_output=True,
Confidence
95% confidence
Finding
proc = subprocess.run( ["osascript", *sum([["-e", line] for line in lines], [])], check=True, capture_output=True, text=True, )

Intent-Code Divergence

Medium
Confidence
85% confidence
Finding
The documentation repeatedly states that AI semantic understanding is the default locator, yet the listed implementation only includes OCR and OpenCV scripts. This mismatch is dangerous because operators may assume stronger target understanding, verification, or safety checks than actually exist, which can lead to mis-clicks, unintended actions, or unsafe automation on the live desktop.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill can launch, activate, and enumerate applications via AppleScript and the open command with no user-facing warning, consent gate, or policy check. For a desktop-control skill, this increases the chance of unauthorized app interaction, deceptive UI focus changes, or chaining with other capabilities to manipulate the local environment without the user's awareness.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script captures the full screen and writes the image to disk without any user-facing notice, consent flow, or contextual disclosure. In a desktop-control skill, screenshots can contain sensitive information such as credentials, messages, tokens, or personal data, so silent capture increases privacy and data-exposure risk even if the feature is functionally intended.

Unpinned Dependencies

Low
Category
Supply Chain
Content
pyautogui>=0.9.54
Pillow>=10.0.0
opencv-python>=4.8.0
pyobjc-framework-Vision>=10.0
Confidence
97% confidence
Finding
pyautogui>=0.9.54

Unpinned Dependencies

Low
Category
Supply Chain
Content
pyautogui>=0.9.54
Pillow>=10.0.0
opencv-python>=4.8.0
pyobjc-framework-Vision>=10.0
pyobjc-framework-Quartz>=10.0
Confidence
98% confidence
Finding
Pillow>=10.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pyautogui>=0.9.54
Pillow>=10.0.0
opencv-python>=4.8.0
pyobjc-framework-Vision>=10.0
pyobjc-framework-Quartz>=10.0
Confidence
98% confidence
Finding
opencv-python>=4.8.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pyautogui>=0.9.54
Pillow>=10.0.0
opencv-python>=4.8.0
pyobjc-framework-Vision>=10.0
pyobjc-framework-Quartz>=10.0
Confidence
94% confidence
Finding
pyobjc-framework-Vision>=10.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
Pillow>=10.0.0
opencv-python>=4.8.0
pyobjc-framework-Vision>=10.0
pyobjc-framework-Quartz>=10.0
Confidence
94% confidence
Finding
pyobjc-framework-Quartz>=10.0

Known Vulnerable Dependency: Pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more

Critical
Category
Supply Chain
Confidence
96% confidence
Finding
Pillow

Known Vulnerable Dependency: opencv-python — 10 advisory(ies): CVE-2017-12864 (Integer Overflow or Wraparound in OpenCV); CVE-2017-12598 (Out-of-bounds Read in OpenCV ); CVE-2019-14493 (NULL Pointer Dereference in OpenCV.) +7 more

High
Category
Supply Chain
Confidence
93% confidence
Finding
opencv-python

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal