ClawHub

System Controller

Security checks across malware telemetry and agentic risk

Overview

This skill openly gives an agent broad control over a Windows PC and smart-home/API devices, but its safeguards are mostly instructions rather than enforced limits.

Install only if you intentionally want an agent to control your Windows desktop, processes, power state, network adapters, screen, serial devices, and smart-home/API endpoints. Require explicit confirmation before shutdown/restart/sleep, process or window closing, network changes, POST/PUT/API service calls, and GUI typing/clicking; avoid placing long-lived tokens in command lines or transcripts; hide sensitive windows before screenshots/OCR; and preinstall/review dependencies instead of relying on automatic pip installation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (24)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
)
    
    try:
        result = subprocess.run(
            ["powershell", "-NoProfile", "-NonInteractive", "-Command",
             encoding_setup + script],
            capture_output=True,
Confidence
95% confidence
Finding
result = subprocess.run( ["powershell", "-NoProfile", "-NonInteractive", "-Command", encoding_setup + script], capture_output=True, text=True,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
env["PYTHONIOENCODING"] = "utf-8"
    
    try:
        result = subprocess.run(
            command,
            capture_output=True,
            text=True,
Confidence
99% confidence
Finding
result = subprocess.run( command, capture_output=True, text=True, encoding="utf-8", errors="replace", timeout=timeout,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd = [pip, "-m", "pip", "install"] + pkgs
    print(f"INFO: Installing missing packages: {', '.join(pkgs)}", file=sys.stderr)
    try:
        subprocess.run(cmd, capture_output=True, timeout=120)
        return True
    except Exception as e:
        print(f"ERROR: Failed to install packages: {e}", file=sys.stderr)
Confidence
91% confidence
Finding
subprocess.run(cmd, capture_output=True, timeout=120)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return requests
    except ImportError:
        print("Installing requests...")
        subprocess.check_call(
            [sys.executable, "-m", "pip", "install", "requests", "-q"],
            stdout=subprocess.DEVNULL
        )
Confidence
95% confidence
Finding
subprocess.check_call( [sys.executable, "-m", "pip", "install", "requests", "-q"], stdout=subprocess.DEVNULL )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return True
    except ImportError:
        print("Installing pyserial...")
        subprocess.check_call(
            [sys.executable, "-m", "pip", "install", "pyserial", "-q"],
            stdout=subprocess.DEVNULL
        )
Confidence
95% confidence
Finding
subprocess.check_call( [sys.executable, "-m", "pip", "install", "pyserial", "-q"], stdout=subprocess.DEVNULL )

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The IoT controller includes a generic HTTP client that can send GET/POST/PUT requests to arbitrary endpoints, which goes beyond narrowly scoped system control and effectively provides a general outbound network primitive. That can be abused for SSRF-like access to internal services, unauthorized API interaction, token exfiltration, or sending commands to unintended devices.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill expands from GUI automation into software installation by auto-installing pyautogui, pillow, and pytesseract at runtime. In this skill context, that is especially dangerous because a tool already capable of desktop control and screenshot/OCR can silently add and execute external code, increasing supply-chain and post-compromise risk.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
A skill for IoT control does not need to modify the Python environment during normal execution. Auto-installing requests expands the trust boundary to package repositories and can lead to unexpected code execution or environment tampering on the host system.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
Installing pyserial on demand gives this skill outbound package-management behavior beyond its stated purpose of talking to serial devices. In an agent skill context, that is more dangerous because simply using the skill can trigger network access and software changes on the host, which may violate least privilege and create a supply-chain exposure.

Vague Triggers

High
Confidence
94% confidence
Finding
The trigger phrases are extremely broad and include many common requests like 'click here', 'type text', 'screenshot', and 'open app', increasing the chance of accidental invocation. Because the skill performs high-impact actions on the desktop, hardware, and networked devices, unintended routing could directly cause integrity or privacy harm.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documents screenshots, OCR, mouse, and keyboard automation without a clear user-facing privacy and integrity warning commensurate with those powers. These capabilities can capture sensitive screen contents, enter data into the wrong context, or trigger unintended actions in privileged applications.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation does not clearly warn that IoT and generic HTTP operations may transmit tokens, device identifiers, and other sensitive API data over the network. In combination with arbitrary endpoint support, users may unknowingly expose credentials or issue commands to external systems without understanding the data-handling risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This reference documents destructive system actions such as killing processes, shutting down or restarting the host, sleeping or hibernating the system, and disabling network adapters without any guardrails, warnings, or confirmation requirements. In a skill explicitly designed to control the local OS and hardware, omission of safety guidance materially increases the chance of user harm, data loss, denial of service, or accidental disconnection from critical services.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Window close and keystroke injection commands can dismiss dialogs, trigger unintended actions, or type into the wrong application if targeting is inaccurate or window focus changes. Because these commands directly automate GUI interaction, lack of warnings about unsaved work, focus validation, and unintended input makes accidental destructive behavior significantly more likely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples include bearer tokens, direct Home Assistant control, arbitrary service invocation, and generic HTTP state-changing requests without privacy, authorization, or secret-handling warnings. In practice, this can encourage unsafe handling of credentials, unauthorized device control, SSRF-like access to internal services, and unintended modification of smart-home or local network systems.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Running pip automatically without prior warning or confirmation removes an important trust boundary and can surprise users by modifying their environment. While not a shell injection issue here, it is still unsafe operational behavior because it fetches and executes package-supplied code without explicit consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The screenshot and OCR functions capture potentially sensitive on-screen data and save images to disk by default without an explicit privacy notice, consent check, or retention control. In a system-controller skill, this materially increases risk because the tool can observe passwords, chats, documents, tokens, and other confidential desktop content.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The PowerShell OCR fallback writes a screenshot of the selected screen region to a predictable temp file, potentially exposing sensitive visual data to other local processes or later forensic recovery. Because this skill is explicitly designed to inspect the desktop, temp-file persistence meaningfully increases confidentiality risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code exposes adapter enable/disable operations directly with no confirmation gate, allowlist, or higher-level authorization check before cutting network connectivity. In an agent skill whose purpose is to control system hardware and networking, this is particularly dangerous because a prompt-injection, misfire, or ambiguous user request could immediately disconnect the host, disrupt remote administration, or interfere with security tooling and business operations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The package installation occurs with only a generic print message and no meaningful consent flow. In an agent setting this is risky because the host may be altered silently, and the user/operator may not realize that external code is being fetched and executed.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The generic HTTP POST/PUT capability can send arbitrary requests to arbitrary endpoints, enabling remote side effects far beyond narrow IoT control. In an agent context this broad network primitive can be abused for SSRF-like access to internal services, unauthorized device manipulation, or data exfiltration to attacker-controlled endpoints.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill exposes direct process termination by PID or name with no confirmation, authorization check, or allowlist/denylist protections. In an agent skill whose purpose is to control the desktop, this is materially dangerous because a mistaken, ambiguous, or prompt-injected request could terminate security tools, productivity apps, or critical system processes and cause denial of service or data loss.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill can launch arbitrary processes through PowerShell without confirmation or policy restrictions. In this skill context, that capability is more dangerous than in a passive utility because the agent is specifically designed to execute desktop-control requests, so prompt injection, misinterpretation, or abuse could cause execution of unwanted programs or scripts.

Missing User Warnings

High
Confidence
91% confidence
Finding
Title-substring matching combined with bulk forced termination can close and kill multiple unrelated applications, causing denial of service and data loss from unsaved work. In a system-controller skill, natural-language-derived titles may be ambiguous, so this broad destructive behavior is more dangerous than in a narrowly scoped administrative script.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal