ClawHub

OpenClaw Desktop Control

Security checks across malware telemetry and agentic risk

Overview

This desktop automation skill is mostly coherent, but it gives an agent broad control over the local desktop and filesystem without clear safety boundaries.

Install only if you intentionally want an agent to control a desktop session. Prefer a disposable VM or low-privilege test account, keep sensitive windows closed, restrict scripts and file paths yourself, and require human review before running automation that types, clicks, opens or closes apps, captures screenshots, or writes files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def open_application(self, name: str) -> None:
        """Open application"""
        if self.platform == 'linux':
            subprocess.run(['xdotool', 'search', '--name', name,
                          'windowactivate', '2>/dev/null'], check=False)
            # If not found, try to launch
            app_map = {
Confidence
88% confidence
Finding
subprocess.run(['xdotool', 'search', '--name', name, 'windowactivate', '2>/dev/null'], check=False)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def close_application(self, name: str) -> None:
        """Close application"""
        if self.platform == 'linux':
            subprocess.run(['xdotool', 'search', '--name', name,
                          'windowkill'], check=False)

    def read_file(self, path: str) -> Optional[bytes]:
Confidence
91% confidence
Finding
subprocess.run(['xdotool', 'search', '--name', name, 'windowkill'], check=False)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
'chrome': 'google-chrome'
            }
            if name in app_map:
                subprocess.Popen([app_map[name]])

    def close_application(self, name: str) -> None:
        """Close application"""
Confidence
87% confidence
Finding
subprocess.Popen([app_map[name]])

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The top-level description frames the skill as desktop control and automation, but the documentation exposes first-class arbitrary file read/write and execution of automation scripts from disk. That mismatch can cause operators or policy layers to underestimate the true authority of the skill, increasing the chance of unsafe delegation and data exposure.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The description also omits application management features such as opening and closing apps and switching desktops. While less severe than file access, undisclosed app-control authority can still enable disruptive or stealthy actions and should be transparently declared.

Description-Behavior Mismatch

Low
Confidence
86% confidence
Finding
The description also omits application management features such as opening and closing apps and switching desktops. While less severe than file access, undisclosed app-control authority can still enable disruptive or stealthy actions and should be transparently declared.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The abstract interface exposes arbitrary file read and write operations, which are materially broader than the manifest's stated purpose of screenshot capture and UI interaction. In the context of a desktop-control skill, this makes the capability more dangerous because it enables silent access to sensitive local files and persistence/modification of host data beyond mere desktop automation.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script execution feature processes local automation instructions from a file and can trigger screenshots, mouse actions, typing, and keypresses without any trust boundary, approval step, or scope restriction. This exceeds the manifest's user-facing description and creates a powerful batch-execution path that could automate sensitive UI actions or data capture at scale.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Application launch and termination are broader host-control capabilities than simple desktop interaction and are not clearly disclosed by the manifest. In a remote automation skill, these features enable process manipulation on the local machine, increasing the potential for disruption, evasion, or unintended execution.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill description centers on desktop control, but this entry point also exposes direct file read/write primitives. In an agent skill context, hidden filesystem access materially expands the attack surface because a caller expecting UI automation could also exfiltrate local files or overwrite sensitive paths.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code allows script-driven screenshot capture and automation execution with no user-facing notice, consent flow, or confirmation despite operating on a sensitive desktop session. In this context, silent execution increases privacy and misuse risk because a caller can batch sensitive UI actions and captures without the user's awareness.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Arbitrary file writes to local paths occur without any confirmation, path restriction, or disclosure to the user. In a desktop-control context this is especially dangerous because it can modify configuration files, drop persistence artifacts, overwrite documents, or stage further compromise on the host.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The library performs broad UI control, text entry, key presses, application activation, process launch, and application termination without any user-facing disclosure or approval mechanism. Because these operations directly manipulate the local desktop session, silent execution can lead to privacy violations, destructive actions, and abuse of the user's trust boundary.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Screenshot capture can collect sensitive on-screen content such as credentials, messages, tokens, and personal data, and this command allows exporting that data without any warning or consent checkpoint. In a remote automation skill, silent screen capture meaningfully increases privacy and data-exfiltration risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Arbitrary keyboard injection can affect whichever application currently has focus, enabling unintended commands, data modification, message sending, or credential entry. Without any warning, focus validation, or confirmation, this is dangerous because a caller can trigger impactful actions in the user session with little visibility.

Missing User Warnings

High
Confidence
95% confidence
Finding
These commands provide direct file read and write access with arbitrary paths and no explicit warning, confirmation, or scope restriction. In practice, this enables local data exfiltration, unauthorized modification of user files, and potentially tampering with configuration or startup files if the underlying controller honors the request.

Missing User Warnings

High
Confidence
92% confidence
Finding
Automation script execution can chain multiple desktop actions and therefore amplify destructive behavior, including UI-driven data deletion, application misuse, and covert exfiltration via screenshots or file access. Running such scripts without warning, preview, or policy enforcement makes abuse easier and reduces user awareness of side effects.

Unvalidated Output Injection

High
Category
Output Handling
Content
def analyze_desktop():
    # 截图
    result = subprocess.run(
        ["python3", "skills/desktop-control/scripts/main.py", 
         "screenshot", "--base64"],
        capture_output=True, text=True
Confidence
90% confidence
Finding
subprocess.run( ["python3", "skills/desktop-control/scripts/main.py", "screenshot", "--base64"], capture_output

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal