ClawHub

Desktop Guardian

Security checks across malware telemetry and agentic risk

Overview

This skill openly provides Mac desktop control, but it enables always-on automation and automatic closing or dialog dismissal in ways users should review carefully before installing.

Install only if you intentionally want an always-on Mac desktop controller. Before enabling it, inspect or obtain the missing DesktopGuardian Spoon source, change cleanup and dialog actions to ask or disabled, review the app whitelist, and make sure you know the kill switch and uninstall steps.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The script claims it never interpolates shell variables into Hammerspoon commands, but later executes a dynamically supplied command string via `eval "$HS_CMD"`. Because `HS_CMD` comes from helper-produced action data rather than a fixed allowlisted dispatch table, any compromise, bug, or malicious input in that pipeline can become arbitrary shell command execution under the LaunchAgent user. In a desktop automation skill with broad GUI permissions, that is especially dangerous because it can silently drive the desktop and execute host commands.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The activation guidance is overly broad for a skill with full macOS GUI control, app termination, keypress injection, and popup handling. Generic triggers like 'any macOS Accessibility automation' can cause the skill to be selected in situations where less-privileged tooling would suffice, expanding the chance of unintended destructive actions or abuse.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The description emphasizes automatic closing, dismissal, and enforcement behavior but does not clearly warn that these actions may alter user state, discard work, interfere with security prompts, or close unauthorized apps/tabs. In a desktop-control skill, undocumented autonomous state changes materially increase operational and security risk because the agent may act without sufficiently informed consent.

Vague Triggers

Medium
Confidence
92% confidence
Finding
Cleanup is enabled with autonomous close actions over apps, browser windows, and tabs, but this example config provides no explicit trigger boundaries, approval gates, or narrowing conditions. In a skill whose purpose is full macOS GUI control and continuous monitoring, that creates a real risk of unintended destructive actions, data loss, or interference with legitimate user activity.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The configuration specifies destructive actions like closing apps, windows, and tabs without any user-facing warning, confirmation, or safeguard for unsaved state. Given this skill's desktop-control scope, such behavior can silently terminate active work, dismiss important context, and be abused to hide agent actions or disrupt security-relevant browsing sessions.

Missing User Warnings

High
Confidence
98% confidence
Finding
Automatic dialog dismissal is especially risky here because the skill is designed to monitor and interact with macOS system dialogs continuously. Dismissing prompts from components like UserNotificationCenter and CoreServicesUIAgent, combined with a default click strategy, can suppress security, privacy, update, or permission-related decisions that should remain visible to the user or require explicit approval.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide tells users to grant Hammerspoon macOS Accessibility access, which gives broad control over the desktop, input, and UI elements, but it does not clearly warn that this permission enables powerful automation that can read window state, click buttons, dismiss prompts, and interact with other applications. In the context of a skill explicitly designed for always-on desktop monitoring and automatic dialog handling, omitting a permission-risk warning can mislead users into granting highly sensitive access without informed consent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This code enumerates all on-screen windows, frontmost application, running GUI apps, and dialog metadata, then emits that data as structured JSON without any user-facing notice, consent gate, or scope restriction. In the context of a desktop-control skill, this creates a meaningful privacy and surveillance risk because sensitive application usage, window titles, and security-dialog presence can be inferred and consumed by an agent or downstream system.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code generates automatic remediation actions that can close apps, windows, tabs, and dismiss dialogs based solely on snapshot/policy evaluation, often without an inline confirmation gate at the moment of action. In a desktop-control skill with Accessibility-level GUI automation, this can suppress important security or permission prompts, disrupt user workflows, or close applications handling sensitive/unsaved state, making the behavior materially risky even if intended as cleanup automation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installer appends `require("hs.ipc")` to the user's `~/.hammerspoon/init.lua` without explicit consent, backup, or clear pre-write warning. Because Hammerspoon executes this file, modifying it changes trusted user automation state and can unexpectedly alter behavior or break an existing setup.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script creates and immediately bootstraps a LaunchAgent that runs `monitor.sh` every 60 seconds, establishing persistent background execution without an explicit confirmation gate. In the context of a desktop-control skill with Accessibility automation, this persistence materially increases risk because it enables continuous GUI monitoring and action after install.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script automatically closes windows, tabs, dialogs, and even force-closes apps without confirmation at the moment of action. In this skill's context, that behavior can destroy user state, dismiss security-relevant prompts, or interfere with user decisions, especially since the tool is designed to monitor and act on desktop dialogs autonomously.

Session Persistence

Medium
Category
Rogue Agent
Content
# Bootstrap
launchctl bootout "gui/$(id -u)/$LAUNCH_AGENT_LABEL" 2>/dev/null || true
launchctl bootstrap "gui/$(id -u)" "$LAUNCH_AGENT_PLIST"
info "LaunchAgent installed and started"

# --- Make monitor.sh executable ---
Confidence
99% confidence
Finding
PLIST

VirusTotal

51/51 vendors flagged this skill as clean.

View on VirusTotal