ClawHub

UI Element Ops

Security checks across malware telemetry and agentic risk

Overview

This skill is a real UI automation helper, but it includes an overbroad shell-command hook that should be reviewed carefully before installation.

Install only if you intentionally want an agent to inspect screenshots and control your desktop. Avoid `wait --refresh-cmd` unless you fully control the exact command, keep PyAutoGUI failsafe enabled, review the external PyPI/GitHub/Hugging Face dependencies, and avoid using it on sensitive screens or workflows where an unintended click, typed text, hotkey, or screenshot would be harmful.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_refresh_command(cmd: str, timeout: float, ignore_errors: bool) -> None:
    result = subprocess.run(
        cmd,
        shell=True,
        text=True,
Confidence
97% confidence
Finding
result = subprocess.run( cmd, shell=True, text=True, capture_output=True, timeout=timeout, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill exposes meaningful capabilities including shell execution, file access, environment access, and network use, but does not declare permissions or constrain them in the interface documentation. In a UI-automation skill, this is dangerous because the skill can move from passive screenshot parsing into active system interaction and potentially broader host access without clear user consent or policy gating.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Allowing arbitrary shell commands during polling makes this skill a general command-execution primitive rather than only a UI automation tool. In an agent setting, that broadens the attack surface substantially because any caller who can influence --refresh-cmd can run OS commands under the agent's privileges.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation language is broad enough to trigger on many generic UI-help requests, increasing the chance the skill is selected in contexts where users did not intend desktop control or screenshot processing. Because this skill can capture screens and perform clicks/typing/hotkeys, over-broad routing expands the attack surface and can lead to unintended system interaction.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation advertises screenshot capture and desktop actions such as click, type, key, and hotkey without prominent warnings about privacy, data capture, and system-side effects. In this context, screenshots may expose sensitive on-screen data and input automation can cause destructive actions, account misuse, or data exfiltration if invoked in the wrong context.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The script automatically installs packages from PyPI, clones a GitHub repository, and downloads model weights from Hugging Face without any explicit user warning, confirmation, or integrity verification. In a skill that operates desktop UI and processes screenshots, this increases supply-chain and privacy risk because setup may contact multiple external services and fetch executable Python dependencies and models from mutable remote sources.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal