ClawHub

PCClaw

Security checks across malware telemetry and agentic risk

Overview

PCClaw is a coherent Windows automation skill bundle, but it asks for unusually broad system and privacy access with weak install and confirmation safeguards.

Install only if you want an agent to have broad Windows control. Review the remote installer before running it, avoid the pipe-to-iex quick start, confirm exactly what Moltbook data will be posted, and treat screenshots, browser history, clipboard, notes, microphone audio, environment variables, refresh tokens, scheduled tasks, and package changes as sensitive operations requiring explicit approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (29)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill advertises a limited read/search purpose, but the body includes materially broader capabilities: creating, updating, deleting notes, exporting all notes to an arbitrary file path, and launching the app. This mismatch can cause users or downstream agents to grant trust or invoke the skill under false assumptions, enabling unintended modification or exfiltration of potentially sensitive note data.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The export feature writes all note contents to an arbitrary output path, which exceeds the stated purpose of reading/searching local notes and creates a straightforward data exfiltration path. Because Sticky Notes often contain credentials, personal reminders, and other sensitive information, exporting them to plaintext on disk can expose data to other local users, backups, sync tools, or malware.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill is presented as a diagnostics/system-information tool, but it includes a forceful `Stop-Process -Force` capability that changes system state and can terminate arbitrary processes. In an agent setting, this broadens the skill from observation to potentially disruptive action, enabling accidental or abusive denial-of-service against user applications or security tools.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Enumerating all environment variables is broader than typical hardware/OS diagnostics and can expose secrets such as access tokens, credentials, internal URLs, and user-specific configuration. In an agent context, this materially increases sensitive-data exposure risk because the output may be surfaced to the model, logs, or downstream tools.

Missing User Warnings

High
Confidence
98% confidence
Finding
The README prominently recommends `irm ... | iex`, which fetches and executes remote PowerShell code directly without giving a clear security warning or encouraging users to inspect the script first. This creates a high-risk trust boundary issue: if the hosting site, DNS, TLS termination, or upstream content is compromised, users may run arbitrary code on their machine immediately.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The installer behavior states it registers the user on Moltbook, creates an agent profile, and posts a first message, but the README does not surface this as an explicit privacy/account-creation warning in the quick-start path. Users may unknowingly trigger external account creation and data transmission, which is a meaningful consent and privacy risk even if intended functionality.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation instructs users to execute a remote PowerShell script directly from the network using `irm ... | iex`, which bypasses basic review and integrity verification of the downloaded code. In a skill/install context this is especially dangerous because compromise of the hosting domain, DNS, TLS termination, or the installer itself would give an attacker immediate arbitrary code execution on the user's Windows machine.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill documents destructive operations (`delete` and `clear`) but does not warn that they can permanently remove task data or completed items. In an agent context, this increases the chance of accidental irreversible data loss if the commands are executed without explicit user confirmation or scope checks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The OAuth setup instructs users to handle `client_secret` and `refresh_token` values without any guidance on protecting them. These credentials can grant persistent access to a user's Google Tasks data, so exposing them in shell history, logs, or shared files could lead to account data access or abuse.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs users to save a long-lived Microsoft refresh token in local configuration and explicitly states it can work indefinitely, but it does not warn that this credential grants ongoing access to the user's To Do data. If the token is exposed through logs, backups, local compromise, or config sharing, an attacker can continuously mint new access tokens and read or modify tasks without re-prompting the user.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation instructs users to export all notes to a text file without clearly warning that the resulting file may contain sensitive plaintext such as secrets, personal information, or work notes. In practice, omission of this warning increases the chance that users store exports in insecure locations or synced folders, broadening exposure beyond the app's local database.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The example workflows normalize capturing, searching, and summarizing note contents without warning that notes may contain highly sensitive information. This can lead agents or users to process and restate secrets more broadly than intended, increasing privacy exposure and the chance of accidental disclosure in logs, summaries, or backups.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This skill is explicitly designed to access highly privacy-sensitive local data including browsing history, bookmarks, downloads, and active tab titles, yet it does not present an explicit warning, consent boundary, or use restriction. In an agent environment, this materially increases the risk of silent user surveillance, profiling, and disclosure of credentials, internal URLs, or sensitive research activity.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill provides commands to open arbitrary URLs in the default or specified browser without warning that this launches external content and may trigger navigation to malicious or tracking-enabled sites. In an agent workflow, this can be abused for phishing, drive-by interaction, or unwanted network access if a URL is opened without clear user intent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The live screenshot and region-capture examples save screen contents to predictable files under %TEMP%, which can expose sensitive on-screen data such as passwords, personal information, or internal documents to other local processes, later users, or forensic recovery. In this skill context, OCR is expected, but persisting screenshots to disk without any warning, cleanup, or safer handling increases privacy and data-leakage risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill includes deletion commands for individual tasks and for all tasks in the \PCClaw\ folder using `Unregister-ScheduledTask ... -Confirm:$false`, which suppresses confirmation and enables irreversible removal in a single step. In an agent setting, this increases the risk of accidental destructive actions, especially if task names, paths, or scope are inferred incorrectly or user intent is ambiguous.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill provides straightforward instructions to capture full-screen, region, multi-monitor, and titled-window screenshots, plus enumerate visible windows, but does not warn that these actions may collect passwords, messages, documents, tokens, or other sensitive on-screen data. In an agent setting, this omission increases the risk of over-collection and privacy violations because operators may treat screenshot capture as routine diagnostics rather than a sensitive capability.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The command prints every environment variable without any warning that values may contain secrets, API keys, tokens, proxy credentials, or private paths. Even if intended for troubleshooting, the lack of a disclosure warning and redaction makes inadvertent sensitive-data leakage likely.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill includes `Stop-Process -Force` with no warning about unsaved work, service interruption, or system instability. In practice, a forceful kill can cause immediate data loss or disrupt critical applications, so the absence of a cautionary prompt increases the chance of harmful misuse or accidental execution.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This skill explicitly documents window-closing and force-kill capabilities, including `WM_CLOSE` and `Stop-Process -Force`, without adjacent warnings about unsaved work, irreversible termination, or the need for explicit user confirmation. In a UI automation skill, these commands are operationally legitimate, but the lack of safeguards makes accidental destructive use more likely and enables disruptive automation against arbitrary user applications.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill provides microphone recording commands that capture ambient audio and save it to a temporary file, but it does not explicitly warn the user that live microphone data will be recorded and stored on disk. In an agent setting, this can lead to accidental collection of sensitive conversations or background speech without adequately informed user consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The real-time streaming transcription section starts continuous microphone capture and only notes that Ctrl+C stops it, but does not explicitly warn that ongoing audio collection will continue until manually terminated. This increases the risk of prolonged unintended surveillance or transcription of sensitive spoken information in the user's environment.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill documents multiple state-changing commands such as install, upgrade, uninstall, and import without an explicit warning that these actions modify system software and may require user confirmation before execution. In an agent context, presenting destructive or system-altering commands as routine examples increases the risk of unintended package installation, removal, or mass upgrade, especially because the commands are configured for non-interactive execution and automatic agreement acceptance.

Missing User Warnings

High
Confidence
98% confidence
Finding
The page prominently encourages users to run `irm openclaw.irisgo.xyz/i | iex`, which downloads and immediately executes remote PowerShell code without any inline warning about code execution, privilege implications, or verification steps. In the context of an agent-skill installer that can install software and configure the system, this materially increases the risk of unsafe execution, supply-chain compromise, or user deception.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The page states that the installer will automatically register the user's AI agent on Moltbook and post its first message, but does not present a clear consent, privacy, or integrity warning near that claim. Automatic creation of an external-facing identity and outbound posting can expose user, host, or agent metadata and create unintended account activity.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal