desktop mouse

Security checks across malware telemetry and agentic risk

Overview

This skill openly provides local Linux mouse control, which is risky if misused but matches its stated purpose and is not hidden or deceptive.

Install this only if you want an agent to move and click your local Linux mouse. Keep sensitive prompts, payment flows, and administrative dialogs out of focus when using it, give explicit coordinates/actions, and verify that the local molt-mouse command is the reviewed wrapper.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This skill directly exposes local mouse movement, clicking, holding, and dragging capabilities without any built-in user confirmation, visibility, or contextual safety checks. In an agent setting, silent GUI control can be abused to click through security prompts, alter settings, authorize actions, or interfere with the user’s active session, making the capability materially dangerous even though the shell code itself validates numeric inputs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal