DisplayControllerSkill
AdvisoryAudited by Static analysis on May 11, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the release is compromised, replaced, or not the expected program, the skill could run arbitrary code on the user's machine.
The setup script downloads an executable from an external GitHub release, but the artifacts provide no checksum, signature verification, lockfile, or bundled source for that binary.
Invoke-WebRequest -Uri 'https://github.com/society2012/DisplayControlTool/releases/download/tag002/DisplayControlSkill.exe' -OutFile $exePath
Bundle reviewed code where possible, or require explicit user approval and verify the downloaded EXE with a pinned hash or trusted signature before execution.
The agent may download and run unreviewed local code as part of an ordinary monitor-control request.
The normal workflow tells the agent to install a missing executable and then execute it, but that executable is not included in the reviewed artifacts.
如果 `scripts/DisplayControlSkill.exe` 不存在,运行 `scripts/setup.ps1` ... 后续调用该 EXE 获取 JSON 输出。
Make the download and first execution user-confirmed, document the binary provenance, and verify integrity before running it.
A mistaken or autonomous call could dim a display or turn it off, which may confuse or interrupt the user.
The skill exposes commands that intentionally change display state, including turning a monitor off.
`set_monitor_power_off` | `<index>` | 关闭显示器
Ask for clear user intent before power-mode changes, especially commands that turn displays off or affect multiple monitors.