ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Atu Desktop Control

v1.0.0

Full desktop automation - screenshots, mouse, keyboard, window management, clipboard, screen info

0· 71·0 current·0 all-time
by@qoohsuan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (desktop automation: screenshots, mouse, keyboard, windows, clipboard) align with the included Python script and README. The script implements the listed features and does not request unrelated cloud/secret credentials or external services.
Instruction Scope
SKILL.md explicitly instructs the agent to run the skill's Python CLI from a venv and provides example exec calls. Those instructions give the agent the ability to run arbitrary commands within the skill directory and to control the host desktop (take screenshots, read/write clipboard, send keystrokes). This is expected for this purpose, but it is powerful and sensitive. Also, SKILL.md/README reference a Windows setup script (scripts/setup.ps1) that is not present in the bundle — an inconsistency you should verify.
Install Mechanism
There is no registry-level install spec, but the bundle includes a setup script (scripts/setup.sh) that runs pip install of packages from PyPI (pyautogui, pillow, pyperclip). Installing from PyPI is common but carries the usual supply-chain risks. The setup.sh does not install pygetwindow (used by window commands) and a Windows setup.ps1 is referenced but missing — the provided setup script is therefore incomplete.
Credentials
The skill declares no environment variables, no credentials, and uses no network libraries in the included code. It does not request secrets or unrelated environment access.
Persistence & Privilege
always is false and the skill does not request persistent or cross-skill configuration changes. It runs only when invoked and does not declare autonomous always-on behavior.
Assessment
This skill appears to do what it says (local desktop automation), but it grants powerful local capabilities (screenshots, keystrokes, clipboard access). Before installing: (1) Only install if you trust the skill owner or review the code yourself — these operations can access sensitive data. (2) Note the bundle references a Windows setup.ps1 that is not included and the setup.sh omits pygetwindow (a dependency used by window commands); verify and fix missing installers before running. (3) Prefer running the skill in an isolated environment (VM) if you are unsure. (4) Inspect the code for any network/upload calls before use (none were found in the provided files, but verify full file contents). (5) If you allow agent autonomous invocation, be aware it can execute CLI commands that control your desktop — consider limiting autonomy or requiring explicit user approval for each run.

Like a lobster shell, security has layers — review code before you run it.

automationvk970qyqa02yza5enrmcnyzs4m983mzxjdesktopvk970qyqa02yza5enrmcnyzs4m983mzxjkeyboardvk970qyqa02yza5enrmcnyzs4m983mzxjlatestvk970qyqa02yza5enrmcnyzs4m983mzxjmousevk970qyqa02yza5enrmcnyzs4m983mzxjpyautoguivk970qyqa02yza5enrmcnyzs4m983mzxjscreenshotvk970qyqa02yza5enrmcnyzs4m983mzxjwindowsvk970qyqa02yza5enrmcnyzs4m983mzxj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments