ClawHub

Claw Mouse

Security checks across malware telemetry and agentic risk

Overview

This skill transparently provides desktop automation, but it gives an agent broad control of a live X11 session and includes under-documented URL/application launching.

Install only if you intentionally want an agent to control your real Linux X11 desktop. Use it in a dedicated VM, test account, or supervised session; close sensitive windows; delete screenshots when done; and require explicit approval before allowing click, type, key, activate, or open actions that could change accounts, send messages, make purchases, or launch external content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill advertises and documents direct shell-backed control of an X11 desktop, including screenshots, mouse movement, clicks, and typing, but does not declare corresponding permissions. This is dangerous because an agent or user may invoke powerful environment and shell capabilities without explicit consent boundaries, enabling unintended interaction with the real desktop session and possible data exposure from screenshots or typed input.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented purpose frames the skill as screenshot and input automation, but the broader behavior includes window enumeration/focus changes and opening URLs via external programs. That mismatch is security-relevant because it understates the skill’s effective control over the desktop and browser, which could be abused to navigate to attacker-controlled content, manipulate active windows, or interfere with user sessions beyond the stated scope.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill description frames the tool as screenshot and input automation, but the code also opens arbitrary URLs or files via xdg-open/gio/chromium-browser. That expands the capability surface beyond the stated purpose and can be abused to launch external applications, trigger handlers, or navigate to attacker-controlled content.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Launching arbitrary URLs/apps is a real capability increase in a desktop control helper because it can start browsers, file handlers, or other registered applications without additional validation. In an agent setting, this makes the tool materially more dangerous because it can pivot from passive automation into opening attacker-chosen resources on the host.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The code can move the mouse, click, type arbitrary text, and send key chords with no confirmation, policy checks, or safety interlocks. In the context of an agent skill, that can drive sensitive UI actions such as approving prompts, sending messages, modifying settings, or interacting with privileged applications.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Screenshot capture saves desktop contents to disk without any disclosure, retention policy, or access controls. On a real desktop this may collect sensitive information such as credentials, messages, documents, or tokens and leave them in predictable local files.

Missing User Warnings

Low
Confidence
82% confidence
Finding
Opening a URL causes an external application or handler to launch without disclosure or confirmation. While less severe than arbitrary command execution, it still creates a user-impacting side effect and may expose the system to malicious web or URI content.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal