ClawHub

OpenClaw PC Control

Security checks across malware telemetry and agentic risk

Overview

This is an openly declared Windows remote-control skill, but it exposes very powerful host-control APIs with weak/default authentication and limited safeguards.

Install only if you intentionally want a remote-control API for your Windows machine. Rotate the bundled API key before use, bind the server to localhost unless you truly need network access, avoid disabled or relaxed mode, and treat shell, file-write, process-kill, clipboard, screenshot, and browser-JavaScript endpoints as full-trust actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (23)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
else:
            return {"success": False, "data": None, "error": f"不支持的shell类型: {shell}"}

        result = subprocess.run(
            cmd,
            capture_output=True,
            text=True,
Confidence
94% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, timeout=timeout, cwd=os.getcwd() )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
else:
            return {"success": False, "data": None, "error": f"不支持的shell类型: {shell}"}

        result = subprocess.run(
            cmd,
            capture_output=True,
            text=True,
Confidence
98% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, timeout=timeout, cwd=os.path.dirname(script_path) or os.getcwd()

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises powerful capabilities including file operations and shell execution, but the manifest shown in SKILL.md does not declare permissions. This creates a transparency and policy-enforcement gap: users and any permission-gating system may not be properly warned before a highly privileged remote-control skill is invoked.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The file exposes highly sensitive remote-control capabilities and relies on a global middleware check that can be bypassed entirely when security is disabled or no API key is configured. The security-mode UX also advertises stronger protection than is enforced at the route layer, creating a dangerous mismatch that can leave screenshot, file, browser, process, and shell endpoints unauthenticated.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The module exposes a public API that executes arbitrary JavaScript in the current browser context with no restriction, allowlist, or policy check. In a remote PC-control skill, this enables arbitrary page-state manipulation and direct access to sensitive DOM data such as session-bound content, form values, tokens, or account information beyond normal scripted navigation.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
This is a second public entry point for the same dangerous capability: unrestricted execution of caller-supplied JavaScript in the live browser session. Duplicating the capability increases attack surface and makes it easier for higher-level code to invoke powerful page access primitives without any safety boundary.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The configuration embeds a plaintext API key directly in the skill file, which means anyone with access to the repository, package, logs, or deployment artifacts can recover and reuse the credential. In a remote-PC-control skill, this is more dangerous because the surrounding capability set includes shell execution, file operations, and process control, so compromise of the related backend or service could enable unauthorized access to highly sensitive host actions.

Vague Triggers

High
Confidence
97% confidence
Finding
The trigger phrases are extremely broad, covering common requests like screenshot, keyboard, mouse, browser, and file management. Because this skill performs remote control of a Windows PC, broad matching can cause accidental invocation during ordinary conversations, leading to unintended execution of sensitive actions.

Missing User Warnings

High
Confidence
96% confidence
Finding
The description promotes remote PC control, screenshots, keyboard/mouse control, file operations, browser automation, and shell command execution, but does not clearly warn users about the sensitivity and destructive potential of these actions. In this context, missing warnings are especially dangerous because the skill enables near-complete control over a Windows host and access to private data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The click and input functions perform state-changing actions on arbitrary web pages without any confirmation, policy enforcement, or domain restriction. In the context of a remote PC-control skill explicitly intended to operate a user's computer and browser, this can drive purchases, account changes, consent dialogs, or data submission with little friction.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The screenshot API captures and returns the full rendered browser page as base64 with no minimization or consent control. In this skill's context, screenshots may expose sensitive on-screen information such as emails, messages, account pages, tokens in URLs, or PII from authenticated sessions.

Missing User Warnings

High
Confidence
95% confidence
Finding
Unrestricted JavaScript execution is exposed without any warning, but the core issue is stronger than missing disclosure: it grants arbitrary code execution inside the web page context. That permits reading page data, altering DOM state, triggering actions, and bypassing the intended limits of higher-level browser automation methods.

Missing User Warnings

High
Confidence
96% confidence
Finding
This duplicate entry point repeats the same unrestricted browser-context script execution and likewise lacks guardrails or user awareness. In a PC-control tool, such functionality materially increases the risk of covert data extraction and unauthorized state changes on sites where the user is logged in.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This module provides unrestricted clipboard read and write primitives without any user-facing notice, consent flow, or contextual disclosure. In the context of a remote PC control skill, clipboard contents may contain passwords, API keys, personal data, or cryptocurrency addresses, so silent access materially increases the risk of covert data theft or tampering.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This module exposes direct keyboard injection primitives that can press keys, type arbitrary text, and send hotkeys on the user's machine without any user-facing disclosure, confirmation, or policy checks. In the context of a remote PC-control skill, these functions can be used to execute commands, approve prompts, alter files, or interact with security-sensitive applications, making covert misuse significantly more dangerous than in a benign local automation script.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This module exposes direct mouse movement, click, drag, and scroll primitives with no built-in user consent, session gating, authorization checks, or visible disclosure. In the context of a remote PC control skill, these functions can be used to silently manipulate the host UI, approve prompts, alter settings, or assist broader compromise, making the lack of confirmation materially dangerous rather than a mere usability issue.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This module captures the full screen and writes the image to disk with no built-in consent check, user notification, access control, or path restriction. In the context of a remote PC-control skill, screenshots can expose passwords, messages, documents, and other sensitive information, so silent capture materially increases surveillance and data-exfiltration risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The configuration save routine writes the raw API key to disk in plaintext via the 'api_key' field. On a remote PC control skill that can execute shell commands and manipulate files, plaintext credential storage increases the chance that local users, malware, logs, backups, or other components can recover the key and bypass authentication.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The module exposes raw shell execution without any user-facing warning, consent, or step-up confirmation. In a PC-control skill, silent command execution significantly increases the risk of abuse, because sensitive or destructive OS actions could be triggered without the computer owner's informed approval.

Missing User Warnings

High
Confidence
98% confidence
Finding
Executing script files with PowerShell ExecutionPolicy bypass and no explicit user disclosure is especially dangerous because it enables covert execution of complex, persistent, and potentially malicious automation. In this skill's remote-PC-control context, that greatly amplifies the chance of unauthorized system modification, credential theft, persistence, or destructive actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This CLI exposes arbitrary shell command and script execution with no confirmation, policy gating, allowlist, or contextual warning. In a remote PC-control skill, that creates a direct path to full system compromise, persistence, data theft, and destructive actions if invoked by an untrusted or mistaken agent workflow.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill allows arbitrary file writes to user-supplied paths without any warning, path restriction, or confirmation before modifying local data. In this PC-control context, that can overwrite documents, alter startup files or configs, and stage malicious payloads on the host system.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The process-kill function enables termination of arbitrary named processes without warning or safeguards. In a remote-control tool, this can disrupt security tools, business applications, or system stability, and may be abused to aid further malicious actions.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal