ClawHub

mac-use

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate local Mac automation skill, but it needs Review because it gives an agent broad screen and input control with limited guardrails.

Install only if you intentionally want an agent to see your Mac screen and control your mouse and keyboard. Use a virtual environment, avoid sensitive screens, do not type secrets through it, delete /tmp/mac_use*.png and /tmp/mac_use_elements.json after use, and require explicit human approval before actions that send, buy, delete, approve, or change account/security settings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def activate_app(app_name):
    """Bring an app to the foreground."""
    subprocess.run(
        ["osascript", "-e", f'tell application "{app_name}" to activate'],
        capture_output=True,
        timeout=5,
Confidence
98% confidence
Finding
subprocess.run( ["osascript", "-e", f'tell application "{app_name}" to activate'], capture_output=True, timeout=5, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
else:
        mod_str = ""
    script = f'tell application "System Events" to keystroke "{key}"{mod_str}'
    r = subprocess.run(["osascript", "-e", script], capture_output=True, timeout=10)
    if r.returncode != 0:
        sys.stderr.write(f"osascript keystroke failed: {r.stderr.decode().strip()}\n")
Confidence
98% confidence
Finding
r = subprocess.run(["osascript", "-e", script], capture_output=True, timeout=10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
f'to perform action "AXRaise" of window "{safe_title}"'
    )
    try:
        subprocess.run(["osascript", "-e", script], capture_output=True, timeout=5)
        time.sleep(0.3)
    except Exception:
        pass
Confidence
99% confidence
Finding
subprocess.run(["osascript", "-e", script], capture_output=True, timeout=5)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The invocation scope is overly broad: 'any Mac desktop application's graphical interface' effectively grants this skill applicability across browsers, password managers, messaging apps, system settings, and financial or enterprise tools. In context, this is especially dangerous because the documented capabilities include screenshots, clicking, typing, key presses, window enumeration, and app activation, enabling high-risk interaction with sensitive applications.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation describes screenshot capture, window listing, clipboard-based typing, and app activation/click automation without clearly warning that screenshots may capture sensitive on-screen content and clipboard paste may overwrite user clipboard contents. This omission increases the chance of unintended privacy exposure or destructive interference with the user's active desktop session.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill can click, scroll, paste arbitrary text, and send key combinations to whatever app is focused, with no confirmation, policy checks, or sensitive-action guardrails. In agent use, this enables destructive or stealthy actions such as approving prompts, sending messages, changing settings, or exfiltrating data through GUI workflows.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code captures a full-screen image and performs OCR over it before cropping/returning a window-specific view, which can ingest sensitive data from unrelated apps, notifications, or system prompts. In an agent skill, that materially increases privacy and data-exfiltration risk because the collected text may include secrets outside the user-intended target app.

Unpinned Dependencies

Low
Category
Supply Chain
Content
pyobjc-framework-Vision>=12.0
pyautogui>=0.9
Pillow>=10.0
Confidence
95% confidence
Finding
pyobjc-framework-Vision>=12.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pyobjc-framework-Vision>=12.0
pyautogui>=0.9
Pillow>=10.0
Confidence
95% confidence
Finding
pyautogui>=0.9

Unpinned Dependencies

Low
Category
Supply Chain
Content
pyobjc-framework-Vision>=12.0
pyautogui>=0.9
Pillow>=10.0
Confidence
97% confidence
Finding
Pillow>=10.0

Known Vulnerable Dependency: Pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more

Critical
Category
Supply Chain
Confidence
90% confidence
Finding
Pillow

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal