ClawHub

TuriX Computer Use

Security checks across malware telemetry and agentic risk

Overview

This skill openly controls a Mac desktop, but it needs careful review because it grants broad screen/control access and delegates the core automation to an external TuriX install.

Install only if you deliberately want an AI agent to see and control your Mac desktop. Use a dedicated, trusted TuriX-CUA checkout, pin or review the external runtime, supervise runs, avoid personal or production accounts for sensitive workflows, require explicit confirmation before submissions/uploads/account changes/deletions, and revoke macOS Screen Recording and Accessibility permissions when done.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly encourages automated desktop control and provides an example of signing up with a Google account, while also describing background execution of the helper script. In the context of a GUI automation skill with screen-recording and accessibility privileges, omitting clear warnings about privacy, credential exposure, and account-safety materially increases the risk of unsafe use.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This skill enables autonomous macOS desktop control for workflows that may touch email, portals, documents, and other sensitive applications, yet the description lacks a prominent privacy and safety warning. That omission can cause operators to invoke the skill in contexts involving secrets, personal data, or destructive actions without understanding the surveillance, exfiltration, or unintended-action risks inherent in GUI automation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal