ClawHub

Calculator Chat

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a calculator-number toy, but it can launch and control local calculator apps and close existing calculator processes without clear confirmation.

Install only if you are comfortable with a skill opening your local calculator, possibly closing an existing gnome-calculator window, and using desktop automation. Prefer explicit /calc-chat invocation, avoid running it in sensitive desktop sessions, and review or remove the Windows/macOS automation modules before using those platforms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (20)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def close_calculator():
    """关闭已打开的计算器"""
    try:
        subprocess.run(
            ['pkill', '-x', 'gnome-calculator'],
            capture_output=True,
            timeout=2
Confidence
89% confidence
Finding
subprocess.run( ['pkill', '-x', 'gnome-calculator'], capture_output=True, timeout=2 )

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill declares no permissions while its documented behavior and detected capabilities imply shell execution, environment inspection, and local file/code interaction. This mismatch is dangerous because users and the host platform cannot accurately assess the skill's real trust boundary, and hidden execution capabilities often enable unintended local side effects.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose is a simple calculator display helper, but the described implementation goes further by killing existing calculator processes, automating local application windows, and evaluating user-influenced expressions. This is dangerous because behavior beyond the stated scope can disrupt the user's system, abuse UI automation, and expand the attack surface far past what a user would reasonably expect from the skill description.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The plan broadens a simple text-to-number feature into a cross-platform command-executing and GUI-automation tool. Even if intended to drive only the calculator, introducing shell, PowerShell, AppleScript, and xdotool execution materially increases the attack surface and the chance of abuse or later extension into arbitrary desktop actions.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Using OS command execution and desktop automation is disproportionate to the stated purpose of sending calculator-style numeric replies. These capabilities can launch programs and synthesize input on the host desktop, which is dangerous in agent contexts because compromise, misuse, or prompting mistakes can affect the local system outside the chat boundary.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The Windows implementation invokes PowerShell and uses Win32 PostMessage-based input injection into a desktop window. Message injection primitives are high risk because they simulate user interaction at the OS level and can be repurposed or misdirected, especially if window targeting is unreliable or later generalized.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The macOS module uses AppleScript with System Events keystroke injection, which is effectively desktop automation requiring accessibility-style control over the user's session. Such automation can affect whichever app has focus or any app the script activates, creating a significant boundary-crossing risk from a simple chat skill.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The Linux implementation searches for windows, activates one, and injects keystrokes with xdotool. Window search and activation are brittle and can target the wrong application, while synthetic key events can unintentionally interact with the broader desktop session, making this a genuine host-interaction risk.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The implementation does not match the declared skill purpose: instead of a calculator-chat translator/display tool, it launches a standalone GTK calculator application on the host display. This mismatch is dangerous because it can mislead reviewers and users about what code will execute, and desktop UI access in an agent skill can create an unexpected local-interaction or host-environment attack surface.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The module docstring explicitly describes a full arithmetic calculator program, contradicting the stated skill purpose of translating/showing sentiment-coded numbers. This inconsistency is a supply-chain integrity concern because deceptive or inaccurate documentation can hide unexpected behavior and reduce the chance that risky host-side capabilities are properly reviewed.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill's purpose is to display numeric chat phrases in a calculator, but it also includes capability to kill existing calculator processes system-wide. That mismatch increases risk because the skill can interfere with unrelated user work and exceeds what is necessary for its stated function.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This code uses AppleScript and System Events to drive the macOS UI, which grants broader automation capability than simply calculating or formatting values. Even though the current script targets Calculator, UI scripting is a powerful primitive that can be repurposed for unintended interaction with other applications or abused if untrusted input reaches the automation path.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script forcefully brings a desktop window to the foreground and injects keystrokes into the active user session using WScript.Shell SendKeys. UI automation by focus-stealing and keystroke injection is fragile and dangerous because if focus changes or AppActivate targets the wrong window, the input may be delivered to another application, causing unintended actions or data entry.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Automatically triggering on broad emotional expressions can cause the skill to activate during ordinary conversation without a clear command. In a skill that launches and controls local applications, ambiguous invocation increases the chance of unwanted execution and user confusion.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Generic trigger phrases like common emotional or conversational terms overlap with normal chat and can spur unintended activation. Because this skill affects the local desktop environment, accidental matches can repeatedly open or manipulate applications without meaningful user intent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The design explicitly describes launching and controlling a system calculator through background UI automation and key injection without user-facing warning or explicit consent. Background interaction with system UI is risky because it can behave unexpectedly, be repurposed for broader UI automation patterns, and undermine user trust by manipulating desktop applications outside the normal chat surface.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The user-facing skill documentation does not clearly warn that the skill will launch a local calculator and synthesize desktop keystrokes. Missing transparency around host-side actions is dangerous because users and operators may invoke the skill without understanding that it performs local GUI automation with side effects outside the conversation.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The code closes an already-running calculator before opening a new one, with no warning or user confirmation. In context, that can cause loss of user state or interrupt legitimate activity, making the skill more dangerous than a simple display utility should be.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code constructs an osascript command by interpolating a multi-line AppleScript string into a shell command and includes user-influenced data (`number`) inside that script. The escaping is not robust for shell and AppleScript contexts together, so crafted input containing shell-significant characters such as a single quote can break out of the quoted argument and potentially trigger command injection when execSync runs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code executes PowerShell with ExecutionPolicy Bypass and interpolates the user-controlled number into a command-line argument without robust escaping. An attacker can supply crafted input containing quotes or PowerShell metacharacters to break out of the intended string and inject arbitrary PowerShell commands, leading to local code execution under the user's privileges.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal