ClawHub

Desktop Control

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real desktop automation skill, but it gives broad control over screen, keyboard, clipboard, windows, screenshots, and app launching with limited default confirmation.

Install only if you intentionally want an agent to control your live desktop. Use it in a test or isolated session first, keep failsafe enabled, prefer require_approval=True where available, avoid running it while sensitive apps or secrets are visible, and do not use autonomous workflows for submissions, public posting, file operations, or clipboard handling without reviewing each action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (18)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill includes clipboard read and write functions even though its stated purpose is desktop automation focused on mouse, keyboard, and screen control. Clipboard access can expose secrets such as passwords, tokens, copied documents, or other sensitive user data, and the methods operate without approval or disclosure by default.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Window enumeration and activation expand the skill's access beyond simple input automation into application discovery and context inspection. This can be abused to infer what the user is doing, target sensitive apps for interaction, or bring high-value windows to the foreground for further automated actions.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The agent accepts task-derived application names and issues OS-level launch commands via the Run dialog, enabling it to open arbitrary local programs rather than limiting itself to narrowly scoped desktop interactions. In a desktop automation skill, this materially expands the attack surface because untrusted prompts or indirect task input could cause execution of sensitive tools, scripts, or system utilities with real user context.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The demo exercises capabilities beyond the stated skill description by enumerating open window titles and reading/modifying clipboard contents. Those actions expose potentially sensitive user context and data, and the mismatch between declared scope and actual behavior undermines informed consent and increases the chance of misuse in a desktop automation environment.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The hotkey demo launches an OS application by sending Win+R and typing a command, which demonstrates generic command-execution-like behavior rather than narrowly scoped desktop input control. In an automation skill, this can be repurposed to open arbitrary programs or system utilities, making the capability more dangerous than the description suggests, especially if run without strong user review.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide explicitly states the agent takes screenshots of task results and later describes before/after screenshots for each step, but it does not warn that screenshots may capture emails, documents, credentials, personal data, or other sensitive on-screen content. In a desktop automation context, autonomous screenshot capture materially increases privacy and data exposure risk, especially if images are persisted to disk or retained in logs/history.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The form-filling example encourages autonomous use of resume data in a job application without warning about privacy leakage, incorrect field mapping, or accidental submission. In a desktop agent that can type and click autonomously, this can expose sensitive personal information and cause irreversible external actions such as submitting inaccurate applications.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide presents autonomous social media posting as a normal use case without warning that actions may publish content externally and publicly. Because this agent controls desktop input, unintended clicks or misinterpreted prompts could post sensitive, harmful, or reputationally damaging content to external platforms.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide shows `failsafe=False` as a configuration option without a clear warning that disabling safeguards can lead to uncontrolled mouse/keyboard automation, destructive clicks, or inability to interrupt harmful behavior quickly. In an autonomous desktop control skill, removing a failsafe materially increases the chance and severity of unintended actions across arbitrary applications.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The quick reference prominently demonstrates state-changing desktop automation such as typing, hotkeys, file operations, window switching, and launching programs, but does not give an up-front warning that these actions can alter files, submit forms, trigger destructive shortcuts, or affect the host system. In an agent skill, concise examples are likely to be copied directly, so omission of clear risk framing increases the chance of unsafe or unintended execution on a real user desktop.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The screenshot and clipboard sections normalize access to screen contents and clipboard data without warning that both may contain credentials, personal data, confidential documents, tokens, or other sensitive information. In a desktop-control skill, these capabilities materially increase privacy and data-exfiltration risk because they enable bulk capture of whatever is visible or recently copied by the user.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation advertises screenshot capture, image recognition, clipboard access, and saving captured data without prominently warning that these features may collect secrets such as passwords, tokens, personal messages, or proprietary content visible on screen or stored in the clipboard. In an agent setting, missing privacy warnings increases the chance that operators enable or invoke these capabilities without understanding the exposure risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The examples perform form filling, submission, file selection/copying, window activation, screenshot saving, and drag-and-drop without emphasizing verification of the active window, selected target, or contents being operated on. Because desktop automation is context-blind, the same commands can act on the wrong application or document and cause unintended data disclosure, modification, or destructive actions if focus changes or coordinates are stale.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The screenshot function can capture the full screen or a region and save it directly to disk without any approval by default. Screenshots may contain credentials, private messages, documents, or other sensitive data, and writing them to disk increases persistence and the chance of later exfiltration.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Reading clipboard contents without disclosure or approval is a direct privacy and secret-exposure risk because users commonly copy passwords, API keys, personal data, and confidential text. In a desktop automation skill, this creates an easy path to harvest sensitive information unrelated to the immediate automation task.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The agent automatically captures screenshots before and after each step and stores them in the result object without any user-facing disclosure, minimization, or retention controls. Screen captures can contain credentials, messages, documents, or other sensitive data, so silent collection creates a privacy and data-exposure risk even if the feature is intended for debugging or verification.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This code writes screenshots to disk using caller-controlled filenames without a clear warning or consent step, creating persistent artifacts of potentially sensitive screen contents. Disk persistence increases exposure compared with in-memory use because the files may remain accessible to other users, processes, backups, or later compromise.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The launch flow opens the OS Run dialog, types commands, and presses Enter without any explicit warning, confirmation, or trust boundary around the requested command. In the context of an autonomous desktop agent, synthetic keyboard input plus process launching can trigger unintended or harmful actions under the user's account, especially if tasks are influenced by untrusted input.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal