ClawHub

Ui Controller

Security checks across malware telemetry and agentic risk

Overview

This skill is presented as desktop UI control, but its main entry point can run arbitrary local shell commands from a `.ui` message.

Review carefully before installing. Only use this in a tightly trusted local environment if you intentionally want `.ui` messages to be able to run arbitrary shell commands and control the active desktop. A safer version should remove or replace `skill.js`, expose only bounded UI actions, document exact triggers, and require confirmation for risky clicks, typing, hotkeys, or command-like actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Missing User Warnings

High
Confidence
99% confidence
Finding
This code takes user-controlled text from context.message, strips the first three characters, and passes the remainder directly to child_process.exec. That enables arbitrary shell command execution on the host running the skill, which can lead to full system compromise, data exfiltration, persistence, or destructive actions; the lack of warning or confirmation makes accidental or unauthorized misuse even easier.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The usage guidance says to send a message that matches a configured pattern, but it does not define the allowed trigger phrases, scope, or authorization boundaries. For a skill that can control the local desktop on the gateway machine, ambiguous invocation increases the risk of accidental activation, prompt/command confusion, or abuse through overly broad matching.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The manifest explicitly exposes direct mouse and keyboard control via pyautogui, which enables arbitrary input injection into the host desktop session. Without any warning, consent, scope restriction, or safety guardrails, an agent could click through dialogs, type commands, or trigger sensitive actions in other applications, making this a real security risk rather than a purely informational issue.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The description 'Control mouse and keyboard using pyautogui' is overly broad and provides no constraints on when the skill may be invoked or what tasks are permitted. In the context of a UI automation skill with arbitrary click, move, type, and hotkey actions, this lack of scoping increases the chance of unsafe or unintended invocation for sensitive operations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script accepts arbitrary JSON from stdin and directly converts it into mouse movement, clicks, typing, and hotkey execution on the host desktop with no confirmation, allowlist, origin validation, or safety boundaries. In an agent context, this can be abused to perform unintended UI actions such as approving prompts, changing settings, entering commands, or interacting with sensitive applications, which makes the lack of user-facing confirmation materially dangerous.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal