ClawHub

Agent Tool Scout

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Mac automation tool, but it gives an AI broad control over local apps without strong built-in confirmation safeguards.

Install only if you intentionally want an AI agent to control macOS applications. Pin and verify the `clam-mac` package, grant Automation and Accessibility permissions narrowly, use an app/action allowlist where possible, require human confirmation before file, email, browser, messaging, or system-setting changes, and remove generated wrappers plus revoke macOS permissions when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (18)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
end if
end tell
'''
    result = subprocess.run(
        ["osascript", "-e", script],
        capture_output=True, text=True, timeout=15,
    )
Confidence
95% confidence
Finding
result = subprocess.run( ["osascript", "-e", script], capture_output=True, text=True, timeout=15, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
Returns:
        安装和验证均成功则返回 True。
    """
    result = subprocess.run(
        [sys.executable, "-m", "pip", "install", "-e", str(wrapper_dir)],
        capture_output=True,
        text=True,
Confidence
93% confidence
Finding
result = subprocess.run( [sys.executable, "-m", "pip", "install", "-e", str(wrapper_dir)], capture_output=True, text=True, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 验证入口点可用
    ep_path = _entry_point_path(app_id)
    result = subprocess.run(
        [ep_path, "--help"],
        capture_output=True,
        text=True,
Confidence
91% confidence
Finding
result = subprocess.run( [ep_path, "--help"], capture_output=True, text=True, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def uninstall_wrapper(app_id: str) -> bool:
    """卸载 wrapper:pip uninstall + 删除文件 + 注销注册表。"""
    # pip uninstall
    subprocess.run(
        [sys.executable, "-m", "pip", "uninstall", "-y", f"clam-{app_id}"],
        capture_output=True,
        text=True,
Confidence
77% confidence
Finding
subprocess.run( [sys.executable, "-m", "pip", "uninstall", "-y", f"clam-{app_id}"], capture_output=True, text=True, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd.extend([f"--{key}", str(value)])

    try:
        result = subprocess.run(
            cmd, capture_output=True, text=True, timeout=35,
        )
    except FileNotFoundError:
Confidence
91% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, timeout=35, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def _run_osascript(script: str, timeout: int = 10) -> str | None:
    """Run an AppleScript and return stdout, or None on failure."""
    try:
        result = subprocess.run(
            ["osascript", "-e", script],
            capture_output=True, text=True, timeout=timeout,
        )
Confidence
96% confidence
Finding
result = subprocess.run( ["osascript", "-e", script], capture_output=True, text=True, timeout=timeout, )

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
clam_execute exposes a generic execution primitive over generated wrapper binaries, turning the skill from a discovery/generation tool into an active local automation channel. In the context of an MCP tool callable by an AI agent, this materially increases risk because the agent can trigger actions in Finder, Chrome, Word, Music, or other installed apps without granular safety constraints.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README promotes AI-driven control of native Mac applications, including actions like sending email, manipulating files, and controlling system/application behavior, but does not clearly warn about the associated risks, permissions, or need for human confirmation before impactful actions. In an agent context, this omission is security-relevant because it normalizes broad shell/app automation that could lead to unintended destructive or privacy-invasive actions once integrated into autonomous workflows.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill markets unrestricted control of arbitrary macOS applications and dynamic CLI generation without warning that this can read documents, manipulate files, control browsers, or trigger privileged UI automation. In this context, the broad control surface makes omission of safety guidance materially dangerous because downstream agents may treat the interface as low-risk utility tooling.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The examples provide directly executable commands that alter application state, open files, and interact with Finder, Music, and Chrome, but they do not include any caution about user approval or side effects. Because this is an automation skill for local apps, copy-pasteable examples can easily be used by an agent to perform unintended actions on the host system.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script performs user-visible control actions against Music.app, including starting playback and changing system/media volume, without an explicit upfront warning or confirmation gate. In an agent skill context, this is risky because invoking a seemingly harmless demo can unexpectedly affect the user's environment, privacy, audio output, or active session.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The cleanup logic silently modifies state by setting volume to 73 and stopping playback, which can disrupt the user's current media session and does not actually restore the prior state. Hidden state changes are especially problematic in agent-operated tooling because users may not realize the script will alter their environment even after the demo appears to finish.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly instructs agents/users to run install and state-changing commands like playback control and property writes, but it does not warn that these operations can change system/application state or trigger side effects. In an agent skill context, documentation doubles as operational guidance, so omission of confirmation and side-effect expectations can lead to unintended app installation, media control, or other modifications on the user's Mac.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README promotes shell-based control of macOS applications, including UI scripting and AppleScript automation, without prominently warning about privacy, accessibility, automation permissions, and the potential to manipulate sensitive applications. In this skill context, giving an agent 'hands to control any Mac app' materially increases risk because an LLM-driven agent could access or alter user-facing apps, send input, or interact with private content once permissions are granted.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README promotes broad AI-driven control over local applications, files, media, and potentially email-like actions without clearly warning that this grants an agent the ability to trigger real system side effects. In the context of an agent skill, this omission is security-relevant because users may enable powerful automation without understanding privacy, integrity, or unintended-action risks.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The MCP example explicitly says the AI will automatically scan apps, install wrappers, and execute commands, which normalizes autonomous shell execution and app control without any guardrails or consent language. For an agent-integrated tool, this increases the likelihood of unreviewed actions on the host system, including unintended file, app, or communication operations.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The execution tool provides no user-facing disclosure that calling it will operate local applications and may read, modify, or trigger actions on local data. In an agent setting, lack of clear warning and consent can lead to unintended high-impact actions even if the underlying feature is intentional.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
clam_install writes wrapper files and performs a local installation step via pip without explicit warning that it modifies the local environment. In an AI-agent context, silent installation increases the chance of unexpected persistence, package/environment changes, and trust boundary violations on the user's machine.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal