Windows RPA

Security checks across malware telemetry and agentic risk

Overview

This Windows automation skill is mostly disclosed, but it gives an agent broad desktop access and unrestricted command-line control that should be reviewed before installation.

Install only if you intend to let the agent control a Windows desktop and run local commands under your user account. Enable approval for every shell, clipboard-read, screenshot, and full-state action, and avoid using it while passwords, tokens, private documents, or sensitive business apps are visible or copied.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (18)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def cmd_clipboard_get(args): """获取剪贴板""" try: result = subprocess.run( ['powershell', '-Command', 'Get-Clipboard'], capture_output=True, text=True, timeout=5 )
Confidence: 91% confidence
Finding: result = subprocess.run( ['powershell', '-Command', 'Get-Clipboard'], capture_output=True, text=True, timeout=5 )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def cmd_clipboard_set(args): """设置剪贴板""" try: result = subprocess.run( ['powershell', '-Command', f'Set-Clipboard -Value "{args.text}"'], capture_output=True, text=True, timeout=5 )
Confidence: 97% confidence
Finding: result = subprocess.run( ['powershell', '-Command', f'Set-Clipboard -Value "{args.text}"'], capture_output=True, text=True, timeout=5 )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def cmd_window_activate(args): """激活窗口""" try: result = subprocess.run( ['powershell', '-Command', f'(New-Object -ComObject WScript.Shell).AppActivate("{args.title_pattern}")'], capture_output=True, text=True, timeout=5
Confidence: 96% confidence
Finding: result = subprocess.run( ['powershell', '-Command', f'(New-Object -ComObject WScript.Shell).AppActivate("{args.title_pattern}")'], capture_output=True, te

subprocess module call

Medium

Category: Dangerous Code Execution
Content: """查找窗口""" try: title_filter = args.title_contains or "" result = subprocess.run( ['powershell', '-Command', f'Get-Process | Where-Object {{$_.MainWindowTitle -like "*{title_filter}*"}} | Select-Object ProcessName, MainWindowTitle, Id | ConvertTo-Json'], capture_output=True, text=True, timeout=10
Confidence: 96% confidence
Finding: result = subprocess.run( ['powershell', '-Command', f'Get-Process | Where-Object {{$_.MainWindowTitle -like "*{title_filter}*"}} | Select-Object ProcessName, MainWind

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def cmd_run_app(args): """运行命令""" try: result = subprocess.run( args.command, shell=True, capture_output=True,
Confidence: 99% confidence
Finding: result = subprocess.run( args.command, shell=True, capture_output=True, text=True, timeout=60 )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: try: if args.args: subprocess.Popen(f'start "" "{app_path}" {args.args}', shell=True) else: subprocess.Popen(f'start "" "{app_path}"', shell=True)
Confidence: 98% confidence
Finding: subprocess.Popen(f'start "" "{app_path}" {args.args}', shell=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: if args.args: subprocess.Popen(f'start "" "{app_path}" {args.args}', shell=True) else: subprocess.Popen(f'start "" "{app_path}"', shell=True) return {"status": "ok", "app": args.app, "path": app_path} except Exception as e:
Confidence: 74% confidence
Finding: subprocess.Popen(f'start "" "{app_path}"', shell=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: try: if shell_type == "powershell": result = subprocess.run( ['powershell', '-NoProfile', '-Command', args.command], capture_output=True, text=True, timeout=60 )
Confidence: 99% confidence
Finding: result = subprocess.run( ['powershell', '-NoProfile', '-Command', args.command], capture_output=True, text=True, timeout=60 )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: capture_output=True, text=True, timeout=60 ) else: result = subprocess.run( ['cmd', '/c', args.command], capture_output=True, text=True, timeout=60 )
Confidence: 99% confidence
Finding: result = subprocess.run( ['cmd', '/c', args.command], capture_output=True, text=True, timeout=60 )

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The skill includes a generic shell executor that accepts arbitrary commands for PowerShell or CMD. That is not necessary for standard desktop RPA and turns the skill into a general-purpose code-execution backdoor, especially dangerous when exposed to an agent that may process untrusted prompts.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: This file exposes a second arbitrary command runner via `run_app`, duplicating the dangerous behavior of `cmd_shell`. Redundant execution paths make review, policy enforcement, and sandboxing harder while giving attackers multiple ways to obtain OS command execution.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: `get_state` appears to be an inspection command, but it can also capture and persist a full-screen screenshot when requested. In a desktop automation context, screenshots can contain sensitive emails, chats, documents, OTP codes, and customer data, so this meaningfully broadens surveillance and exfiltration capability.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README explicitly advertises clipboard access and PowerShell/CMD execution but provides no warning about exfiltration of copied secrets, destructive command execution, or broader system impact. In an agent skill context, these capabilities are especially sensitive because they can expose credentials, modify files, or run arbitrary system commands under the user's account.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The documentation promotes screenshot capability without warning that captures may include passwords, personal messages, financial data, or other sensitive on-screen content. For a desktop automation skill, screenshotting is more dangerous than in many other contexts because the agent may access arbitrary windows and entire desktops, not just a constrained application view.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: Clipboard contents are returned directly with no warning, masking, or approval step. Because clipboard data often contains secrets and recently copied sensitive text, this is a privacy and data-exposure issue in an agent-accessible skill.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The shell command feature provides unrestricted OS command execution without confirmation or policy constraints. In the context of an LLM-driven agent tool, this is especially dangerous because prompt injection or model error can trigger destructive or exfiltrative commands.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The desktop-state routine can silently include a screenshot, but its interface does not emphasize the privacy-sensitive nature of that data collection. This creates a risk of collecting and storing sensitive on-screen information without clear intent or user awareness.

Missing User Warnings

High

Confidence: 99% confidence
Finding: `run_app` executes arbitrary commands with `shell=True` and no safety controls, confirmation, or scoping. This is a straightforward remote code execution vector and especially unsafe in a skill whose nominal purpose is desktop automation rather than unrestricted shell access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal