DisplayControllerSkill
SuspiciousAudited by ClawScan on May 11, 2026.
Overview
The monitor-control purpose is clear, but the skill asks the agent to download and run an unverified Windows executable from GitHub, so review it before installing.
Install only if you trust the GitHub release and are comfortable with the agent downloading and running a local EXE. Prefer verifying the file hash or signature manually, and require confirmation before monitor power-off or other display-changing actions.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the release is compromised, replaced, or not the expected program, the skill could run arbitrary code on the user's machine.
The setup script downloads an executable from an external GitHub release, but the artifacts provide no checksum, signature verification, lockfile, or bundled source for that binary.
Invoke-WebRequest -Uri 'https://github.com/society2012/DisplayControlTool/releases/download/tag002/DisplayControlSkill.exe' -OutFile $exePath
Bundle reviewed code where possible, or require explicit user approval and verify the downloaded EXE with a pinned hash or trusted signature before execution.
The agent may download and run unreviewed local code as part of an ordinary monitor-control request.
The normal workflow tells the agent to install a missing executable and then execute it, but that executable is not included in the reviewed artifacts.
如果 `scripts/DisplayControlSkill.exe` 不存在,运行 `scripts/setup.ps1` ... 后续调用该 EXE 获取 JSON 输出。
Make the download and first execution user-confirmed, document the binary provenance, and verify integrity before running it.
A mistaken or autonomous call could dim a display or turn it off, which may confuse or interrupt the user.
The skill exposes commands that intentionally change display state, including turning a monitor off.
`set_monitor_power_off` | `<index>` | 关闭显示器
Ask for clear user intent before power-mode changes, especially commands that turn displays off or affect multiple monitors.