Back to skill
Skillv0.1.10
ClawScan security
Agent Desktop · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 17, 2026, 11:02 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The instructions are coherent for a macOS desktop-automation CLI, but the skill lacks provenance (no source/homepage) while telling you to install a global npm package and it requires granting broad Accessibility access and can read sensitive UI data (screenshots, clipboard, notifications) — verify before installing.
- Guidance
- This skill appears functional and internally consistent for macOS desktop automation, but exercise caution before installing and running it: 1) Do not blindly run `npm install -g agent-desktop` unless you verify the package source (check the npm page, GitHub repo, publisher, and recent release assets). The registry metadata here has no homepage or source listed. 2) Understand Accessibility (TCC) implications: granting Accessibility to a terminal gives processes launched from that terminal broad control and visibility over your desktop. Prefer granting permission only to a dedicated, minimal terminal app or use an isolated/test account or VM. 3) The CLI exposes screenshots, clipboard contents, and notifications; treat any agent that can call this skill as able to read sensitive data. 4) If you want to proceed, inspect the npm package contents (or the project's repository) before installing, run it in an isolated environment first, and restrict which terminal binary you enable in System Settings. If you cannot verify the package source, do not install.
Review Dimensions
- Purpose & Capability
- okName, description, and SKILL.md consistently describe a macOS accessibility-based desktop automation CLI (snapshot, click, type, clipboard, notifications, screenshots). Required capabilities (Accessibility permission, ability to read UI trees and manipulate controls) match the stated purpose; there are no unrelated environment variables or extraneous dependencies declared.
- Instruction Scope
- noteThe instructions stay within the stated domain (observe-act loop, progressive skeleton traversal, many commands for interaction and observation). However the command surface includes high-sensitivity operations: taking screenshots (returned as base64), reading clipboard contents, and listing/acting on notifications. Those are expected for a desktop automation tool but are privacy-sensitive; the SKILL.md does not place limits on what the calling agent should do with returned data (e.g., transmit it externally).
- Install Mechanism
- concernThe skill is instruction-only but tells users to run `npm install -g agent-desktop` (or bun). The registry metadata lacks a homepage/source URL, so there is no provenance to verify the npm package or its publisher. Installing a global npm package runs arbitrary code on the machine — this is a non-trivial risk unless you verify the package source and contents first.
- Credentials
- concernNo environment variables or credentials are requested (good). However the tool requires granting macOS Accessibility (TCC) permission to your terminal application — this grants any code run from that terminal the ability to control and read UI across apps. Combined with the tool's ability to read clipboard, notifications, and screenshots, this is broad and sensitive access; make sure you understand which terminal app you grant and that you trust the installed CLI and the calling agent.
- Persistence & Privilege
- okThe skill does not request permanent inclusion (always:false), does not declare system-wide config writes, and is user-invocable. There is no explicit persistence or privilege escalation requested by the skill files provided.