Back to skill

Security audit

Windows Control

Security checks across malware telemetry and agentic risk

Overview

This skill openly provides full Windows desktop control, but its ability to read and change arbitrary windows, browsers, dialogs, and screenshots is broad enough to require careful review before use.

Install only if you intentionally want an agent to control and inspect your Windows desktop like a local user. Use it in a bounded session, keep sensitive apps and secrets closed, prefer exact window targeting, review before click/type/dismiss/close actions, and avoid running it where screenshots or UI text could expose confidential data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly provides full desktop control plus broad screen, window, webpage, and UI text-reading capabilities, which enables access to sensitive data across arbitrary applications. The dangerous part is not mere automation alone, but that the documentation normalizes unrestricted interaction and data extraction without any privacy, authorization, or scope limitations, making misuse or accidental overreach highly likely.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The examples include actions such as closing windows, typing into active contexts, saving files, clicking arbitrary UI elements, handling dialogs, and interacting with browser/application content, all of which can alter user data or system state. Because these are presented as normal workflows without warnings, confirmations, or rollback guidance, an agent could easily perform destructive or privacy-invasive actions in the wrong window or on sensitive data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The manifest explicitly advertises 'Full Windows desktop control' and mentions mouse, keyboard, and screenshots, which signals broad capability to interact with arbitrary applications and capture sensitive on-screen data. Even though this is only metadata, the skill context makes the omission of safety warnings and scope limitations dangerous because users may install or invoke a highly privileged automation skill without understanding the risk of credential theft, unintended actions, or privacy exposure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This script enables direct clicking of arbitrary UI elements across windows based only on text matching, with no confirmation, allowlist, or safety interlock for destructive actions. In a full Windows desktop control skill, that can trigger sensitive or irreversible operations such as deleting data, approving prompts, dismissing security warnings, or interacting with privileged applications by mistake or abuse.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script can type arbitrary text into enabled Edit/ComboBox controls in the active or first-matched dialog with no confirmation, allowlist, or validation of the target context. In a skill whose stated purpose is full Windows desktop control, this enables silent modification of file paths, security prompts, credentials fields, or other sensitive UI inputs, increasing the chance of unauthorized or destructive actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The button-click and dismiss logic performs UI actions based on partial button-name matching and common dismissal labels, and falls back to sending Escape, without verifying the dialog's purpose or the consequence of the action. In this desktop-control skill, that can approve prompts, close warnings, discard changes, or trigger privileged/destructive operations on arbitrary dialogs, making the capability materially dangerous.

Missing User Warnings

Low
Confidence
84% confidence
Finding
This script enumerates UI controls and extracts visible text from Edit and Document elements, then prints that content to stdout/JSON without any consent check, masking, or warning. In a skill explicitly designed for full Windows desktop control, that behavior can expose sensitive on-screen information such as passwords shown in fields, personal data, emails, chat content, or internal documents to downstream logs, agents, or users.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This script enumerates UI elements from browser windows and extracts visible text, links, button metadata, and, in full mode, input-field values. In a Windows desktop control skill, that can expose credentials, personal data, session information, internal documents, or other sensitive browser content without any consent check, origin restriction, masking, or privacy warning, making the issue more dangerous in this context.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This script enumerates UI elements from any partially matched desktop window and prints discovered text to stdout, which can expose sensitive on-screen information such as emails, documents, credentials, chat content, or internal application data. In the context of a 'Full Windows desktop control' skill, this capability materially increases data-exfiltration risk because broad access to arbitrary windows is a core feature rather than a tightly scoped exception.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This script captures the full screen and exports it as base64 without any user-facing notice, consent, scoping, or redaction. In the context of a 'Full Windows desktop control' skill, screenshots can expose passwords, emails, tokens, confidential documents, and other sensitive on-screen data, making silent collection materially dangerous.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.