ClawHub

Find My

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local Apple Find My automation skill, but it can view sensitive location data and save local screenshots.

Install only if you are comfortable letting the agent control Find My through macOS Accessibility and Screen Recording permissions. Watch actions involving coordinate clicks or Play Sound, set FM_OUTPUT_DIR to a private folder when possible, and delete Find My screenshots after use because they may contain sensitive locations and names.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script performs privileged GUI automation by switching focus to the Find My app and issuing a click with no user confirmation, visibility check, or runtime guard. In an agent skill context, this can cause unintended actions on behalf of the user if the UI state is different than expected or if the skill is triggered unexpectedly, making the automation capable of acting on sensitive location/device controls without explicit consent at execution time.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script automatically captures a screenshot of the Find My info panel and writes it to disk, which can expose sensitive location and device/person information beyond the immediate app interaction. In the context of a location-tracking skill, persisted screenshots increase privacy risk because they may remain accessible in /tmp or another output directory after the task completes.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This script saves a screenshot of the Find My map, which can contain precise location and address information, to a filesystem path without any explicit user confirmation, warning, or retention controls. Because it defaults to /tmp and prints the saved path, the skill creates a durable artifact of sensitive location data that could be accessed later by other local processes, users, logs, or follow-on automation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script captures a screenshot of the Find My window and writes it to a filesystem path, defaulting to /tmp/findmy.png, without any notice, consent prompt, or cleanup. Because Find My can display precise locations, contact names, devices, and item details, leaving this image on disk can expose sensitive personal data to other local processes or users, especially if the file persists in a shared temporary location.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal