ClawHub

Linux Desktop Control

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Linux desktop automation skill, but it exposes broad screen-control powers and has an unsafe command-building flaw that needs review before use.

Install only if you intentionally want an agent to view and control your Linux desktop. Avoid passing untrusted text, paths, key names, or window IDs to this skill until the shell command construction is fixed, and require manual confirmation before using it around terminals, browsers, password prompts, business apps, or private content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_command(cmd):
    """运行 shell 命令"""
    try:
        result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)
        return result.returncode == 0, result.stdout.strip(), result.stderr.strip()
    except subprocess.TimeoutExpired:
        return False, "", "Command timed out"
Confidence
98% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill clearly instructs users to install and use shell-accessed desktop-control tools, yet the skill metadata does not declare corresponding permissions or boundaries. This creates a transparency and governance gap: a caller may invoke a skill that can take screenshots and inject input without an explicit permission model, increasing the chance of unauthorized or surprising host interaction.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The wrapper centralizes arbitrary shell execution and is used by desktop-control functions that compose command strings from external input. In this skill context, an agent may pass untrusted task content into these wrappers, so the issue is more dangerous because it combines OS command execution with powerful desktop automation capabilities.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The activation condition is overly broad because it effectively authorizes the skill for nearly any Linux desktop interaction. That broad trigger surface increases the likelihood the agent will select this powerful skill in situations involving sensitive data, login dialogs, terminals, or unrelated tasks where screenshotting and input injection could cause privacy loss or destructive actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill describes screenshot capture, window listing, typing, and mouse/keyboard control up front, but it does not place strong privacy and consent warnings alongside those behaviors. Because these actions can expose on-screen secrets, capture personal content, or send unintended input to the focused window, weak contextual warnings materially increase the risk of misuse or accidental harm.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The screenshot functions capture full-screen or window content and save it to disk without any consent, warning, redaction, or access-control mechanism. In a desktop automation skill, this raises real privacy and data-exposure risk because screenshots may contain credentials, personal data, secrets, or sensitive business information.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Mouse and keyboard automation can trigger destructive or security-sensitive actions on the user's desktop without guardrails, such as sending messages, approving prompts, or interacting with privileged dialogs. In this skill context, that capability is inherently risky because it directly manipulates the UI and can be driven by untrusted instructions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal