ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Desktop Control (Windows)

v1.0.1

Control desktop applications on Windows — launch, close, focus, resize, move windows, simulate keyboard/mouse input, manage processes, control VSCode, read clipboard, and capture screen info. Use when the user wants to interact with any running program, switch windows, type text, press shortcuts, open files in VSCode, manage running processes, or get system display information.

4· 8k·53 current·54 all-time
by@lexylent
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description align with the provided PowerShell scripts. All included scripts (window management, input simulation, process manager, screen info, VSCode control) are directly relevant to 'Desktop Control (Windows)'. No unrelated environment variables, downloads, or external services are requested.
Instruction Scope
SKILL.md instructs executing bundled PowerShell scripts from the skill folder (full paths) and to use 'powershell -ExecutionPolicy Bypass -File ...'. The instructions legitimately cover actions needed for desktop control (focus windows, send keys, take screenshots, read/set clipboard, kill processes, invoke VSCode CLI). However 'ExecutionPolicy Bypass' and the ability to send arbitrary input, kill processes, capture screenshots, and read the clipboard are high-impact actions — the doc's safety rules are helpful but not enforceable. Confirmations are recommended but rely on the agent's behavior.
Install Mechanism
No install spec or external downloads; this is instruction-only with included .ps1.txt script files. The files will be stored locally as part of the skill. The SKILL.md asks the user to rename .ps1.txt to .ps1 and run them locally — no remote code fetches or archive extraction are involved.
Credentials
The skill requests no credentials or additional environment variables. The scripts reference standard environment info (USERPROFILE, USERNAME, PATH) and local system APIs only. They do run local programs (Start-Process/code CLI) and access system state (process list, system info, clipboard), which is proportional to the stated functionality.
Persistence & Privilege
The skill does not request always:true, nor does it modify other skills or system-wide config. It does instruct running scripts with ExecutionPolicy Bypass (transient bypass per command) and will require storing/renaming script files into the skill directory. Because the skill can be invoked autonomously (platform default), its ability to simulate input, kill processes, and capture screenshots increases blast radius — consider limiting autonomous invocation if you don't fully trust the skill.
Assessment
This skill is internally consistent with its stated purpose, but it grants powerful local control: it can type arbitrary keystrokes, move/click the mouse, kill processes, read/set the clipboard, and save screenshots. Before installing: 1) Only install if you trust the source/author. 2) Manually review the provided .ps1.txt scripts (they are plain PowerShell) to confirm there is no hidden behavior beyond what you expect. 3) Avoid enabling global script execution policies; prefer running individual scripts explicitly or run in an isolated VM/test account. 4) Be cautious about allowing autonomous invocation — if possible require user confirmation before executing actions that kill processes, overwrite clipboard, or capture the screen. 5) If you plan to use VSCode control, verify the 'code' CLI behavior and that installing/uninstalling extensions is acceptable. If you want a lower-risk approach, run the scripts only on demand rather than permitting the agent to invoke them autonomously.

Like a lobster shell, security has layers — review code before you run it.

automationvk9720bp3fhkg672phbj5b4932x80yfmwdesktopvk9720bp3fhkg672phbj5b4932x80yfmwlatestvk9720bp3fhkg672phbj5b4932x80yfmwvscodevk9720bp3fhkg672phbj5b4932x80yfmwwindowsvk9720bp3fhkg672phbj5b4932x80yfmw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments