ClawHub

macOS Desktop Control Enhanced

Security checks across malware telemetry and agentic risk

Overview

This skill openly provides Mac desktop automation, but it gives broad screen, clipboard, keyboard, mouse, and process-killing power without enough safeguards.

Install only if you intentionally want an agent to control your Mac desktop. Treat screenshots, clipboard reads or writes, typing, clicking, app focus, and process termination as actions that should require explicit approval, and avoid using it around passwords, private messages, terminals, admin prompts, or unsaved work until input handling and destructive actions are narrowed and confirmed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (19)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def kill_process(pid):
    """Kill a process by PID."""
    subprocess.run(["kill", "-9", str(pid)], check=True)

def launch_app(bundle_id):
    """Launch an app by bundle identifier."""
Confidence
86% confidence
Finding
subprocess.run(["kill", "-9", str(pid)], check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
script = f'''
    pkill -f "{bundle_id}"
    '''
    subprocess.run(["osascript", "-e", script], check=True)

# ---------------------------------------------------------------------------
# Clipboard
Confidence
98% confidence
Finding
subprocess.run(["osascript", "-e", script], check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def set_clipboard(text):
    """Set clipboard to given text."""
    script = f'set the clipboard to "{text}"'
    subprocess.run(["osascript", "-e", script], check=True)

# ---------------------------------------------------------------------------
# System Information
Confidence
99% confidence
Finding
subprocess.run(["osascript", "-e", script], check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# ---------------------------------------------------------------------------
def focus_app(bundle_id):
    """Bring the given app to foreground."""
    subprocess.run(["osascript", "-e", f'tell application "{bundle_id}" to activate'], check=True)

def terminate_app(bundle_id):
    """Force‑close the given app."""
Confidence
98% confidence
Finding
subprocess.run(["osascript", "-e", f'tell application "{bundle_id}" to activate'], check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
script = f'''
    pkill -f "{bundle_id}"
    '''
    subprocess.run(["osascript", "-e", script], check=True)

# ---------------------------------------------------------------------------
# Mouse Control
Confidence
98% confidence
Finding
subprocess.run(["osascript", "-e", script], check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
keystrokes "{text}"
    end tell
    '''
    subprocess.run(["osascript", "-e", script], check=True)

def press_key(key):
    """Press a single key (key code or name)."""
Confidence
99% confidence
Finding
subprocess.run(["osascript", "-e", script], check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
key code {key}
    end tell
    '''
    subprocess.run(["osascript", "-e", script], check=True)
Confidence
90% confidence
Finding
subprocess.run(["osascript", "-e", script], check=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill advertises powerful desktop automation capabilities, including process control, clipboard access, screenshot capture, and synthetic input, yet the manifest shown does not declare permissions or explicit safety boundaries. This creates a transparency and governance gap: users and orchestrators may invoke a shell-capable, system-wide control skill without clear consent, policy gating, or least-privilege constraints.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The function claims to terminate an app by bundle identifier but actually performs pkill -f pattern matching through an AppleScript invocation. That mismatch is dangerous because callers may believe the action is narrowly scoped while it can kill unrelated processes whose command lines match the supplied text, and the supplied value is also injected into executable script content.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
This duplicate implementation has the same dangerous semantic mismatch: it advertises targeted app termination but uses broad pattern-based killing. In a desktop-control context, such deceptive behavior increases the risk of accidental or malicious denial of service against arbitrary user processes.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The description promotes system-wide desktop control, screenshot capture, clipboard operations, application control, and direct mouse/keyboard interaction without any privacy, consent, or impact warning. In context, these features can enable credential capture, unintended data exfiltration, destructive interaction with user applications, or covert manipulation of the desktop environment if invoked carelessly or by a compromised agent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documented capabilities include killing processes and force-closing applications without any caution about data loss, service interruption, or the risk of terminating security tools or unsaved user work. Because the skill is designed for direct system interaction, omission of these warnings increases the likelihood of harmful misuse or accidental destructive actions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The API documents screenshot capture with a default output path but provides no warning that screenshots may collect sensitive on-screen data such as credentials, personal information, or proprietary content. In a desktop-control skill, this materially increases misuse risk because the capability enables silent collection and persistence of privacy-sensitive data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The reference exposes process and application termination functions, including force-closing behavior, without warning about unsaved work loss or disruption of active user tasks. In a system-wide automation skill, these actions can be used to interrupt security tools, terminate productivity apps, or cause denial-of-service to the local user session.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The clipboard API allows reading and overwriting clipboard contents, but the overwrite behavior is documented without warning that existing user data will be replaced. Clipboard contents frequently contain secrets or in-progress work, so silent replacement can cause data loss and facilitate theft or manipulation of sensitive information.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Mouse and keyboard injection provide direct control over the active desktop session, enabling unintended clicks, text entry, dialog confirmation, navigation, and modification of user data. In the context of a macOS desktop automation skill, the lack of safety warnings is especially dangerous because these capabilities can drive any focused application, including security-sensitive workflows such as terminals, password dialogs, browsers, and system settings.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
Providing a force-kill primitive without confirmation or policy checks is dangerous in an agent skill because it can abruptly terminate important applications or services and cause data loss. The desktop-control context makes this more serious because the skill is designed for broad local system interaction, increasing the likelihood of misuse.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
Clipboard overwrite is a sensitive state-changing action and here it occurs without any user-facing warning, confirmation, or scoping. In an automation skill, that can silently replace user data or poison subsequent paste operations, especially when paired with other UI automation functions.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
Force-closing applications without clear warning is dangerous because it can destroy unsaved user work and interrupt critical local workflows. This is amplified here by the misleading implementation, which may kill more than the intended target due to pattern matching.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal