OpenClaw PC Control
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a disclosed PC-control tool, but it gives an agent very broad control over a Windows PC while authentication and safety boundaries are weak or inconsistently described.
Install only if you intentionally want to let an agent control your PC. Before running it, configure and test a strong API key, use the strictest security mode, keep the API bound to localhost, avoid using real browser sessions for automation, approve shell/file/process actions manually, and stop the service when finished.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken, hijacked, or overly autonomous agent action could run arbitrary Windows commands under the user's account.
The tool accepts user-supplied commands or script paths and runs them through PowerShell, including script execution with ExecutionPolicy Bypass.
cmd = ["powershell", "-NoProfile", "-Command", command] ... subprocess.run(cmd, ...) cmd = ["powershell", "-NoProfile", "-ExecutionPolicy", "Bypass", "-File", script_path]
Require explicit user approval for every shell/script action, restrict allowed commands and directories, avoid ExecutionPolicy Bypass by default, and keep the service stopped when not actively needed.
If the service is started without a configured key or with security disabled, callers that can reach it may control the PC without authentication.
The authentication middleware lets requests proceed when security is disabled or when no API key is configured, despite the API exposing PC-control operations.
if not security_config.enabled or not security_config.api_key:
return await call_next(request)Make authentication mandatory for all non-health endpoints, fail closed when no API key is configured, and document exactly how to verify that authentication is active.
Users may believe the control server is protected by default and start it in a less safe configuration.
The documentation claims complete/default security while also making API key setup optional; the code further shows auth can be bypassed when no key is configured.
Windows电脑控制工具,开箱即用,带完整安全防护。 ... 配置 API Key(可选,推荐) ... API 默认需要认证。
Change the documentation to clearly state the real default behavior, make the secure path mandatory, and warn users not to run the API without an active key.
Automated browsing may run with reduced web security, increasing risk when visiting untrusted pages or using real accounts.
Browser automation is purpose-aligned, but these flags weaken browser security and automation-detection protections without being disclosed in the user-facing docs.
options.add_argument("--disable-blink-features=AutomationControlled") ... options.add_argument("--disable-web-security") ... options.add_argument("--allow-running-insecure-content") ... options.add_argument("--ignore-certificate-errors")Remove these flags unless strictly necessary, disclose any reduced browser protections, and run automation in an isolated browser profile without sensitive sessions.
Private screen contents or clipboard data could be returned to any process or agent that can reach the API in an unsafe configuration.
The HTTP API exposes sensitive local data such as clipboard contents and screenshots; combined with optional/disabled auth, the caller boundary is not strong enough for this sensitivity.
@app.get("/clipboard/read")
def api_clipboard_read():
return clipboard.clipboard_read()
@app.get("/screenshot")
def api_screenshot(path: str = "screenshot.png"):
return screenshot.take_screenshot(path)Require authentication, bind only to localhost unless explicitly configured otherwise, add per-request user confirmation for sensitive reads, and avoid running the service around private activity.
Users have less registry-level assurance about dependency provenance and should inspect the packaged requirements before installing.
The skill asks users to install Python dependencies; this is expected for the tool, but provenance is weaker because the registry lists the source as unknown and has no install spec.
pip install -r skills/pc-control/scripts/requirements.txt
Review the requirements file, prefer pinned versions, and install in an isolated Python environment.
The PC remains controllable through the API while the server is running.
Starting the API service is disclosed and purpose-aligned, but it creates a long-running control surface that remains available until stopped.
# 4. 启动 API 服务 python api.py
Start the service only when needed, stop it after use, and use firewall or bind-address controls to keep it local.