ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cross Platform Computer Use Skill

v0.1.0

Top-level cross-platform computer-use skill that bundles standalone macOS, Windows, and Linux runtimes with zero local Claude dependency and selects the corr...

0· 72·0 current·0 all-time
by@wimi321
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (cross-platform computer-use) matches the included files and runtime: Node TypeScript tool layer plus platform-specific Python helpers for screenshots, input, app/window enumeration, and an MCP server. The requested binaries/env/credentials are minimal and appropriate for the stated purpose (the project expects Node and Python and installs public Python packages at runtime).
Instruction Scope
SKILL.md instructs building and running the bundled platform project (npm install, npm run build, node dist/cli.js) and points at helper scripts to pick the correct platform. The runtime will enumerate displays/processes, take screenshots, control mouse/keyboard, and write local files (virtualenv, lock files) — all expected for a desktop-control skill but high-privilege operations on a local machine. The SKILL.md keeps host-local constraints explicit and does not instruct contacting unexpected external endpoints.
Install Mechanism
There is no platform 'install' spec in the skill registry, but the bundle contains full project code and scripts; first-run behavior auto-creates a Python virtualenv and pip-installs public packages from PyPI (mss, Pillow, pyautogui, psutil, python-xlib). npm install will fetch packages from the npm registry. Fetching/installing public packages and running build scripts is coherent for this use case but increases attack surface compared to an instruction-only skill with no code.
Credentials
The skill does not declare or require any unrelated credentials or environment variables. It documents optional runtime environment flags (CLAUDE_COMPUTER_USE_*), which are appropriate for runtime configuration. The code reads/writes local files (home directory config and lock files) and queries process information (psutil) — proportional to enumerating running apps and enforcing a local lock.
Persistence & Privilege
always is false and there is no evidence the skill requests permanent platform-wide privileges or attempts to modify other skills. It creates files under the user's home directory (virtualenv, lock/config dirs) which is expected for a local runtime. Autonomous invocation (model invocation enabled) is default behavior but not unusual; combine this with the runtime's capabilities only if you trust the code.
Assessment
This skill is coherent: it bundles platform-specific runtimes that will run locally to take screenshots and control your mouse/keyboard. Before installing or running it, consider the following: 1) Review the included scripts (scripts/current-project.sh, scripts/install.sh, runtime/*) so you understand what will be executed. 2) Expect npm install and pip installs from public registries (PyPI/npm) on first run — run these in a controlled environment (VM/container) if you are risk-averse. 3) The runtime will access process information, window properties, and the filesystem under your home directory and will create a virtualenv and lock files; this is necessary for its purpose but is high-privilege local behaviour. 4) Do not install on hosts with sensitive data or credentials unless you trust the repository/author; prefer installing an official published package (ClawHub/GitHub) or verifying upstream source and checksums. 5) If you want extra safety, run the skill in an isolated VM or sandbox and audit any network calls or use of child processes in the code (search for exec/child_process usage) before granting it continued use.
project/platforms/linux/src/lib/execFileNoThrow.ts:9
Shell command execution detected (child_process).
project/platforms/macos/dist/lib/execFileNoThrow.js:4
Shell command execution detected (child_process).
project/platforms/macos/src/lib/execFileNoThrow.ts:9
Shell command execution detected (child_process).
project/platforms/windows/src/lib/execFileNoThrow.ts:9
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

automationvk973rvwn6bs3g6vvv3cgx5nzgd840gbacomputer-usevk973rvwn6bs3g6vvv3cgx5nzgd840gbalatestvk973rvwn6bs3g6vvv3cgx5nzgd840gbalinuxvk973rvwn6bs3g6vvv3cgx5nzgd840gbamacosvk973rvwn6bs3g6vvv3cgx5nzgd840gbamcpvk973rvwn6bs3g6vvv3cgx5nzgd840gbaskillvk973rvwn6bs3g6vvv3cgx5nzgd840gbawindowsvk973rvwn6bs3g6vvv3cgx5nzgd840gba
72downloads
0stars
1versions
Updated 2w ago
v0.1.0
MIT-0
@wimi321
automationcomputer-uselatestlinuxmacosmcpskillwindows
Download

Cross-Platform Computer-Use Skill

Use this skill when the task needs a top-level portable computer-use skill that works across macOS, Windows, and Linux without depending on any local Claude installation, private native modules, or extracted app assets.

What this skill does

  • bundles standalone platform runtimes for macOS, Windows, and Linux
  • installs one top-level skill that contains all three platform payloads
  • selects the correct project for the current host platform
  • preserves the standalone bootstrap model: each platform runtime creates its own virtualenv and installs public Python dependencies on first real run
  • keeps platform-specific limitations explicit instead of pretending the hosts behave identically

Installed layout

After installation, assume the top-level skill lives at:

~/.codex/skills/cross-platform-computer-use-skill

The bundled projects are stored under:

~/.codex/skills/cross-platform-computer-use-skill/project/platforms/macos
~/.codex/skills/cross-platform-computer-use-skill/project/platforms/windows
~/.codex/skills/cross-platform-computer-use-skill/project/platforms/linux

Platform selection

Use the helper script from the installed skill root to resolve the active platform project:

bash ~/.codex/skills/cross-platform-computer-use-skill/scripts/current-project.sh

On PowerShell:

powershell -ExecutionPolicy Bypass -File $HOME/.codex/skills/cross-platform-computer-use-skill/scripts/current-project.ps1

Build

Always build the selected platform project, not all three at once:

cd "$(bash ~/.codex/skills/cross-platform-computer-use-skill/scripts/current-project.sh)"
npm install
npm run build

Run

cd "$(bash ~/.codex/skills/cross-platform-computer-use-skill/scripts/current-project.sh)"
node dist/cli.js

Validation notes

  • macOS has been real-device validated in this workspace, including GUI typing round-trip through the MCP type tool.
  • Windows and Linux are implemented, built, packaged, and published, but still need end-to-end runtime validation on real hosts.
  • Linux currently targets X11 first; Wayland can restrict screenshots, focus inspection, clipboard, and synthetic input.

Guardrails

  • Treat this host as trusted-local only.
  • Do not tell the user to search a local Claude install for binaries or hidden assets.
  • Be explicit about the current host platform and its validation status before claiming something is verified.
  • Mention that current runtimes report screenshotFiltering: none, so action gating is handled at the MCP layer.

Comments

Loading comments...