ClawHub

Smseow Peekaboo

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed desktop-control skill, but it gives an agent broad screen, mouse, keyboard, and app-control authority without enough built-in limits or confirmation guidance.

Install only if you intentionally want an agent to operate your desktop. Review the external tools before running the install commands, keep sessions supervised, and require explicit confirmation before screenshots, typing, clicks, hotkeys, app launches, payment/account changes, deletions, or interactions with security and privacy prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger phrases are broad enough to match ordinary user requests such as '截屏' or 'desktop', which can cause this high-privilege desktop-control skill to activate unexpectedly. Because the skill enables screenshots, clicks, typing, and app control, accidental invocation increases the chance of privacy exposure and unintended system actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill advertises powerful desktop-control capabilities including screen capture, clicking, typing, and launching applications, but it does not clearly warn about privacy, credential exposure, destructive actions, or the risks of operating with accessibility/input permissions. In this context, the lack of explicit safeguards is dangerous because the skill is designed to interact directly with a live desktop, where sensitive data and privileged UI flows may be present.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal