ClawHub

Mac Desktop Automation

Security checks across malware telemetry and agentic risk

Overview

This looks like a disclosed desktop automation tool, but it needs review because it gives broad live-desktop, screenshot, clipboard, and app-launch control with weak default guardrails.

Install only if you intentionally want an agent to control your live desktop. Keep failsafe and approval mode enabled, run it in a non-sensitive or test environment first, avoid exposing passwords or private documents while it is active, and treat screenshots and clipboard contents as sensitive data that may be logged or saved locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (20)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The clipboard read/write features materially expand the skill beyond mouse, keyboard, and screen automation into access to user data. Clipboard contents often contain passwords, tokens, API keys, or copied sensitive text, so exposing both read and overwrite operations without strong justification or guardrails creates a real privacy and security risk.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Window enumeration, title inspection, and active-window access reveal application metadata that can expose sensitive context such as document names, websites, chats, or enterprise tools in use. This exceeds the stated desktop mouse/keyboard/screen control scope and can be abused for reconnaissance prior to further automated actions.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The demo reads the current clipboard, prints its contents, overwrites it, and then optionally restores it. Clipboard data often contains sensitive information such as passwords, tokens, personal data, or copied secrets, so exposing it to the console and modifying it without strong necessity creates a real privacy and data-handling risk even in demo code.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The hotkey demo uses OS shortcuts to open the Run dialog and launch Notepad, which crosses from generic input simulation into application launching and process initiation. Even though this specific example launches a benign program, the pattern is dangerous because the same mechanism can start arbitrary executables or system tools on the host.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The guide promotes broad natural-language commands like drawing, typing, launching apps, and later extends to form filling, file operations, and web/navigation tasks without defining scope restrictions, confirmation gates, or prohibited actions. In a desktop automation skill, ambiguous high-level prompts can be interpreted into unsafe UI actions, causing unintended application launches, data modification, or execution in the wrong window/context.

Missing User Warnings

High
Confidence
96% confidence
Finding
The guide explicitly describes autonomous screenshots, text entry, form filling, file operations, social posting, and data transfer between apps, yet it provides no privacy warnings, consent model, or data-handling boundaries. In a desktop-control agent with screen analysis and OCR, this creates a substantial risk of capturing secrets, personal data, documents, or credentials and then propagating them into files, web forms, or third-party services without adequate user awareness.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The quick reference explicitly demonstrates taking screenshots and saving them to disk without any accompanying privacy or data-handling warning. In a desktop automation skill, screen contents commonly include credentials, personal data, internal documents, or other sensitive material, so normalizing silent capture and persistence increases the risk of accidental collection and local leakage.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation exposes clipboard read/write operations with no warning that clipboard contents often contain passwords, tokens, PII, or proprietary text. Because clipboard access is cross-application and low-friction, examples that normalize reading it without safeguards can lead to unintended disclosure or misuse of sensitive data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
These examples automate high-impact UI actions such as form submission, window switching, multi-file operations, and replace-all workflows without strong warnings about context sensitivity or irreversible mistakes. In a desktop-control skill, keystrokes and clicks are sent to whichever window has focus, so a small targeting error can submit secrets, overwrite content, modify many files, or trigger destructive actions in the wrong application.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide recommends `failsafe=False` and labels it as maximum speed/no safety checks without a strong warning that this removes a primary emergency stop for uncontrolled desktop automation. In this skill's context, disabling failsafe materially increases risk because the tool can rapidly send unintended mouse and keyboard actions to the live desktop, making misfires harder to interrupt and potentially amplifying destructive outcomes.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The screenshot functionality can capture passwords, personal data, tokens, chats, or other sensitive information visible on screen, and the examples include saving captures to disk without any warning about confidentiality or retention. In a desktop-control skill, this is particularly sensitive because screen capture is broad, covertly powerful, and easy to misuse accidentally against the wrong window or monitor.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Clipboard reads may expose highly sensitive transient data such as passwords, API keys, financial information, or copied personal content, yet the documentation presents the feature as routine and risk-free. Because clipboard contents often come from unrelated applications, this creates cross-context data access that users may not expect.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The automated form-filling example includes entry of personal information and a password, but omits warnings about focus errors, wrong-window entry, credential exposure, and accidental submission. In a desktop automation context, even small targeting mistakes can leak secrets into chat windows, terminals, or logs, or submit sensitive data to unintended destinations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The screenshot function can capture the full screen or arbitrary regions and save them to disk without approval checks, warnings, or destination restrictions. This can collect and persist sensitive on-screen information such as credentials, messages, documents, or internal dashboards, increasing risk of unintended disclosure or exfiltration.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Reading clipboard contents without disclosure allows silent access to highly sensitive transient data, including passwords, recovery codes, private messages, and API tokens. In a desktop automation skill, this is particularly dangerous because it can be combined with other automation features to collect and misuse user data without obvious signs.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Overwriting the clipboard without warning can replace user-copied sensitive or important data and can also stage malicious payloads such as commands, URLs, or crypto addresses for later pasting. The lack of confirmation or visibility makes this unsafe in an automation tool that may be invoked programmatically.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The agent automatically captures screenshots before and after each execution step and stores them in the result object without any explicit consent, warning, or data minimization. Because this skill performs desktop-wide automation, those screenshots may include sensitive on-screen content such as credentials, messages, documents, or unrelated application data, making silent collection a real privacy and security issue.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This code saves a screenshot image to disk using a filename from the step definition without a clear user-facing disclosure or confirmation that a persistent file will be created. Persisting screenshots increases risk because sensitive desktop contents may remain on disk, be accessed later by other users or processes, or be unintentionally shared or backed up.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The screen-capture demo saves screenshots to disk without a dedicated privacy warning or confirmation at the point of capture. Screenshots can contain emails, documents, credentials, chat messages, or other sensitive on-screen data, and writing them to files increases persistence and exposure risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Printing clipboard contents to the console directly exposes potentially sensitive data to logs, terminal history, screen recordings, or nearby observers. In a desktop automation context this is especially risky because clipboard contents commonly hold copied secrets unrelated to the demo itself.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal