Back to skill

Security audit

desktop mouse

Security checks across malware telemetry and agentic risk

Overview

This skill openly enables local Linux mouse movement and clicking, which is sensitive but matches its stated purpose and shows no hidden data access or malicious behavior.

Install this only if you intentionally want an agent to control your local Linux mouse. Avoid leaving payment screens, administrative prompts, or sensitive dialogs focused while using it, give explicit coordinates/actions, and verify that the local molt-mouse command is the reviewed wrapper.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill exposes raw mouse button hold and release actions, which can enable drag operations or prolonged button presses without any confirmation, guardrails, or warning about side effects. In a desktop-control skill, this increases the chance of unintended UI interaction, especially if combined with ambiguous coordinates or chained actions from another agent step.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This wrapper performs real mouse movement and click actions immediately, including drag and hold operations, without any user-facing confirmation, rate limiting, or safety interlock. In a desktop-control skill, that means an upstream agent or prompt injection could trigger unintended UI actions on the local machine, potentially approving dialogs, changing settings, or interfering with user input.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.