my-computer
Security checks across malware telemetry and agentic risk
Overview
The skill largely matches desktop automation, but its bulk file tools include unsafe dynamic evaluation and fragile undo logging that warrant careful review before allowing large local changes.
Install only if you are comfortable with an agent performing broad local desktop automation. Before approving bulk file changes, require a dry run, keep backups, and verify the undo manifest. Do not run undo on untrusted manifest files, avoid giving unnecessary account tokens, and make sure any scheduled tasks include clear removal instructions.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malformed or attacker-controlled undo manifest path could potentially cause code to run under the user's local account on systems where the Python fallback is used.
The script dynamically evaluates a generated Python expression and interpolates the manifest path into Python code. This is not needed for JSON parsing and can become code execution if the Python fallback is used with crafted input paths or if the selector handling changes.
python3 -c "import json,sys; d=json.load(open('$MANIFEST')); print(eval(f'$key'.replace('.','[\"').replace(']',']\"').replace('\"\"','\"')))"Replace eval with safe JSON traversal, pass the manifest path as an argument to Python instead of interpolating it into code, and avoid running undo on manifests from untrusted sources.
If a bulk move or rename affects many files and the manifest is invalid, the promised undo path may fail or behave unpredictably.
The script advertises undo manifests as the safety mechanism, but it manually builds JSON from raw file paths without escaping. Filenames containing quotes, backslashes, or newlines can corrupt the manifest and make bulk operations harder to reverse.
# The script creates an undo manifest ... echo "{\"action\":\"move\",\"from\":\"$filepath\",\"to\":\"$target_path\"}" >> "$ACTIONS_TMP"Use a real JSON encoder for manifests, test undo with a dry run, and keep a backup before approving large batch file operations.
Mistaken approval or ambiguous instructions could rename, move, copy, or otherwise change many local files.
The skill is intended to run local commands and perform batch file operations. The artifact includes user-control guidance, so this is purpose-aligned, but the authority is broad.
Confirm before destructive operations. Proceed confidently on safe, read-only operations.
Approve only specific plans, require dry-run previews for batch changes, and limit operations to clearly selected folders.
If used, the agent could send emails, upload files, or post messages through the user's configured accounts or provided tokens.
The reference recipes show automation that can use existing Mail account access or Slack tokens. These examples are aligned with desktop/app automation, but they involve delegated account privileges.
tell application "Mail" ... send newMsg ... -H "Authorization: Bearer $SLACK_TOKEN"
Do not provide tokens unless needed, review outgoing messages/uploads before sending, and use least-privilege service credentials.
Private filenames, document excerpts, or PDF text may be read during organization tasks.
The skill may inspect local document contents to categorize or organize files. This is purpose-aligned, and no external exfiltration is shown, but it can expose private local content to the agent context.
Read the first lines / headers of text files, CSVs, code files to understand content ... Parse PDF text
Point the skill only at folders you intend it to inspect, avoid secret-containing directories, and review reports before sharing them elsewhere.
A scheduled cleanup or automation task could continue running later unless the user tracks and disables it.
The platform guide includes scheduled-task examples that can keep running after the immediate interaction. This is disclosed and aligned with the stated recurring-task purpose, but it is persistent behavior.
systemctl --user enable --now cleanup.timer
Require explicit approval for recurring jobs, document exactly what was installed, and provide disable/remove commands.