Back to skill

Security audit

Computer Use

Security checks across malware telemetry and agentic risk

Overview

This is a real headless desktop-control skill, but it needs Review because it installs persistent remote desktop services with weak access controls and makes broad system-level changes.

Install only on a dedicated disposable server or VM. Before running setup-vnc.sh, inspect the services, add VNC/noVNC authentication, bind access to localhost or a firewall-restricted interface, avoid exposing ports 5900 or 6080 publicly, and prepare rollback steps to disable the services and restore /usr/bin/xfdesktop.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (29)

Lp3

Medium
Category
MCP Least Privilege
Confidence
97% confidence
Finding
The skill clearly enables shell-capable operations and instructs users to run installation, service-management, and package-management commands, yet the metadata does not declare permissions or prominently scope that power. This weakens informed consent and increases the chance the skill is used in contexts where users do not realize it can alter system state, install services, and expose remote access components.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script advertises and is named as a click action, but it always performs a delayed screenshot afterward as a hidden side effect. In a desktop-control skill, screenshots can capture sensitive data such as credentials, tokens, private documents, or post-click UI states that the caller did not explicitly request, violating least surprise and expanding data collection beyond the requested action.

Intent-Code Divergence

Low
Confidence
87% confidence
Finding
The comment suggests the script merely takes an automatic screenshot, but the use of exec replaces the current process with another script, which is a stronger and less obvious control-flow side effect. While not inherently code execution from untrusted input here, this mismatch obscures behavior and can mislead reviewers or callers about what the action actually does, increasing the risk of unsafe composition and hidden data capture.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script's documented purpose is only to type supplied text, but it also unconditionally takes a screenshot afterward via another script. In a desktop automation skill, screenshots can capture sensitive data on screen such as credentials, messages, or internal documents, so the hidden extra action expands data collection beyond user expectations and violates least surprise.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup instructions install and auto-start persistent VNC/noVNC remote desktop services, but the description does not clearly warn that this exposes an interactive remote control surface on the host. In a security context, silently enabling remote-access infrastructure is risky because users may deploy it on sensitive servers without understanding the resulting attack surface.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The action list provides arbitrary GUI control—clicking, typing, dragging, keypresses, and scrolling—without a clear warning that these actions can modify files, submit forms, trigger destructive UI flows, or operate privileged applications. Because the tool works at the X11 desktop level and is designed to evade website automation detection, misuse can have broad consequences across any app in the session.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs users to download a third-party .deb and install it with sudo, but omits a warning about trusting vendor binaries, verifying provenance, and the risks of privileged package installation. This can normalize unsafe admin behavior and lead users to execute high-impact installation steps without proper validation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script's usage text does not disclose that every click operation triggers a screenshot, so callers cannot make an informed decision about whether sensitive screen contents will be captured. In the context of a headless desktop automation skill explicitly designed to interact with arbitrary applications and websites, this undocumented capture behavior is more dangerous because it can silently collect high-value visual secrets after privileged UI actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script automatically captures a screenshot after simulating keyboard input, which can collect sensitive on-screen data such as credentials, tokens, private documents, or application state without any explicit warning or consent boundary. In this skill context, the risk is elevated because the tool is designed for full desktop automation on a headless X11 session, so screenshots may expose far more than the specific key action was intended to affect.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script automatically invokes a screenshot immediately after simulating a keypress, with no explicit warning, consent check, or opt-out at the point of action. In a computer-control skill, this can capture sensitive on-screen data such as credentials, private messages, or internal documents, and the X11-level automation context makes the behavior more privacy-invasive because it operates across the full desktop rather than a constrained browser sandbox.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script automatically invokes screenshot.sh after every scroll action, capturing the desktop without any separate confirmation or visibility at the call site. In a skill designed for full desktop control on headless servers, this increases data-exposure risk because scrolling may occur in sensitive applications and the resulting screenshots can capture credentials, private documents, or other on-screen secrets.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script silently captures a screenshot after typing without any user-facing warning, prompt, or disclosure. In the context of a headless desktop control skill with VNC/X11 automation, this can expose whatever is currently visible on the virtual desktop, including secrets entered by the script itself, making the behavior privacy-sensitive and potentially security-relevant.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This script captures a screenshot from the active virtual desktop and returns the cropped image as base64 with no access control, consent check, redaction, or audit signal. In the context of a full desktop automation skill, that behavior can expose credentials, tokens, personal data, or other sensitive on-screen content to any caller that can invoke the script, so the lack of disclosure and handling safeguards is a real data-exposure risk.

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
# Copy minimal-desktop.sh to a stable location
echo "[2/6] Installing watchdog script..."
sudo mkdir -p /opt/computer-use
sudo cp "$SCRIPT_DIR/minimal-desktop.sh" /opt/computer-use/
sudo chmod +x /opt/computer-use/minimal-desktop.sh

# Install systemd services (generated inline)
Confidence
84% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
echo "[2/6] Installing watchdog script..."
sudo mkdir -p /opt/computer-use
sudo cp "$SCRIPT_DIR/minimal-desktop.sh" /opt/computer-use/
sudo chmod +x /opt/computer-use/minimal-desktop.sh

# Install systemd services (generated inline)
echo "[3/6] Installing systemd services..."
Confidence
81% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
# Install systemd services (generated inline)
echo "[3/6] Installing systemd services..."

cat <<EOF | sudo tee /etc/systemd/system/xvfb.service > /dev/null
[Unit]
Description=Xvfb Virtual Display :99
After=graphical.target
Confidence
91% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
WantedBy=multi-user.target
EOF

cat <<EOF | sudo tee /etc/systemd/system/xfce-minimal.service > /dev/null
[Unit]
Description=XFCE Minimal Desktop for Computer Use
After=xvfb.service
Confidence
93% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
WantedBy=multi-user.target
EOF

cat <<EOF | sudo tee /etc/systemd/system/x11vnc.service > /dev/null
[Unit]
Description=x11vnc VNC Server
After=xfce-minimal.service
Confidence
89% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
WantedBy=multi-user.target
EOF

cat <<EOF | sudo tee /etc/systemd/system/novnc.service > /dev/null
[Unit]
Description=noVNC WebSocket Proxy
After=x11vnc.service
Confidence
90% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
# Mask xfdesktop to prevent flickering
echo "[4/6] Masking xfdesktop (prevents flicker)..."
if [ -f /usr/bin/xfdesktop ] && [ ! -f /usr/bin/xfdesktop.real ]; then
    sudo mv /usr/bin/xfdesktop /usr/bin/xfdesktop.real
    echo '#!/bin/bash
# Masked - xfdesktop causes VNC flickering on Xvfb
exit 0' | sudo tee /usr/bin/xfdesktop > /dev/null
Confidence
88% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
sudo mv /usr/bin/xfdesktop /usr/bin/xfdesktop.real
    echo '#!/bin/bash
# Masked - xfdesktop causes VNC flickering on Xvfb
exit 0' | sudo tee /usr/bin/xfdesktop > /dev/null
    sudo chmod +x /usr/bin/xfdesktop
    echo "  xfdesktop masked (original at /usr/bin/xfdesktop.real)"
else
Confidence
88% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
echo '#!/bin/bash
# Masked - xfdesktop causes VNC flickering on Xvfb
exit 0' | sudo tee /usr/bin/xfdesktop > /dev/null
    sudo chmod +x /usr/bin/xfdesktop
    echo "  xfdesktop masked (original at /usr/bin/xfdesktop.real)"
else
    echo "  xfdesktop already masked or not found"
Confidence
80% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
# Enable and start services
echo "[5/6] Enabling services..."
sudo systemctl daemon-reload
sudo systemctl enable xvfb xfce-minimal x11vnc novnc

echo "[6/6] Starting services..."
sudo systemctl start xvfb
Confidence
94% confidence
Finding
sudo

Session Persistence

Medium
Category
Rogue Agent
Content
# Enable and start services
echo "[5/6] Enabling services..."
sudo systemctl daemon-reload
sudo systemctl enable xvfb xfce-minimal x11vnc novnc

echo "[6/6] Starting services..."
sudo systemctl start xvfb
Confidence
95% confidence
Finding
systemctl enable

Chaining Abuse

High
Category
Tool Misuse
Content
# Install systemd services (generated inline)
echo "[3/6] Installing systemd services..."

cat <<EOF | sudo tee /etc/systemd/system/xvfb.service > /dev/null
[Unit]
Description=Xvfb Virtual Display :99
After=graphical.target
Confidence
83% confidence
Finding
| sudo

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.