ClawHub

Compuse

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed desktop-control skill, but it silently auto-approves its own high-impact computer-use permissions despite tool text saying the user will review them.

Install only if you intentionally want an agent to control your active desktop. Treat it as high privilege: it can see unredacted screens, use the keyboard/mouse, read or write the clipboard when requested, and launch approved apps. The main Review issue is that its standalone permission flow auto-approves access instead of making the user confirm each requested app and flag.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (47)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if os.path.exists(target):
        subprocess.Popen([target])
        return
    subprocess.Popen([target])


def read_clipboard() -> str:
Confidence
93% confidence
Finding
subprocess.Popen([target])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not target:
        raise RuntimeError("Missing app identifier")
    if target.endswith(".desktop") and os.path.exists(target):
        subprocess.Popen(["gtk-launch", Path(target).stem])
        return
    if os.path.exists(target):
        subprocess.Popen([target])
Confidence
88% confidence
Finding
subprocess.Popen(["gtk-launch", Path(target).stem])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
subprocess.Popen(["gtk-launch", Path(target).stem])
        return
    if os.path.exists(target):
        subprocess.Popen([target])
        return
    subprocess.Popen([target])
Confidence
94% confidence
Finding
subprocess.Popen([target])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if resolved:
        subprocess.Popen([resolved])
        return
    subprocess.Popen(["cmd", "/c", "start", "", target], shell=False)


def read_clipboard() -> str:
Confidence
92% confidence
Finding
subprocess.Popen(["cmd", "/c", "start", "", target], shell=False)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return
    resolved = shutil.which(target)
    if resolved:
        subprocess.Popen([resolved])
        return
    subprocess.Popen(["cmd", "/c", "start", "", target], shell=False)
Confidence
87% confidence
Finding
subprocess.Popen([resolved])

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises and instructs use of shell commands, file paths, environment-dependent resolution, network-installed dependencies, and runtime execution, yet it declares no permissions. That mismatch can bypass user expectations and platform trust decisions, especially for a computer-use skill that can bootstrap code and access local resources.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The description frames the skill as a packaging/platform-selection layer, but the detected behavior includes broad host-control capabilities such as keyboard/mouse automation, clipboard access, app inspection, and window/display manipulation. In a trusted-local computer-use context these capabilities may be expected somewhere in the stack, but understating them at the top level is dangerous because users may install or invoke the skill without understanding it can actively control and inspect their system.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The session context automatically grants permissions for any resolved app without requiring explicit user approval. In a computer-use skill, this weakens the trust boundary around application access and can let the agent expand its control to installed applications silently, which is especially dangerous because the skill is specifically designed to interact with the user's desktop environment.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The session context automatically grants permissions for any resolved app without a user approval step, which defeats the core safety boundary around computer-use access. In a computer-control skill, this can let the agent expand its control surface to additional local applications silently, increasing the risk of unauthorized actions, data access, or abuse of privileged apps.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
Binding onPermissionRequest directly to autoApprovePermission means every permission request is silently approved by design, despite the handler name implying a proper mediation step. This creates a misleading trust boundary and makes it easy for downstream components to assume user consent was obtained when it was not.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The session context automatically grants permissions for any resolved app request without requiring explicit user consent or maintaining a real denial history. In a computer-use skill, that means the agent can silently expand its control surface to additional applications, undermining the core safety boundary that app grants are supposed to enforce.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The session context automatically grants permission for every resolved app request without any user-mediated approval, effectively bypassing the protection implied by the permission-request flow. In a computer-use runtime, this can let the agent expand control to additional installed applications silently, increasing the risk of unintended interaction with sensitive apps and data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README advertises high-risk capabilities such as screenshots, keyboard/mouse injection, clipboard access, and app launching, but does not clearly warn users that these features can expose sensitive data or manipulate the host system. In a computer-use skill, this omission is material because users may install or run it without understanding the privacy and integrity risks inherent to remote desktop control functionality.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README advertises powerful desktop-control features such as screenshots, keyboard/mouse input, clipboard access, app launch, and window inspection without a prominent warning about privacy, safety, and system-impact risks. In a skill intended for agent ecosystems, this omission can cause users to enable highly invasive capabilities without understanding that the software can observe and manipulate their active desktop session.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The install/start instructions tell users to build and run the server but do not prominently warn that first launch will automatically create a virtual environment, bootstrap pip, install Python packages, and then expose desktop-control actions. Automatic dependency installation plus immediate access to screenshots and synthetic input increases the chance that a user runs the skill without informed consent about network activity, code installation, and host-control capabilities.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README advertises powerful desktop-control features including screenshots, keyboard/mouse input, clipboard access, app discovery, and window mapping, but does not clearly warn users that these capabilities can expose sensitive data or trigger privacy-impacting actions. In a computer-use skill, omission of explicit risk disclosure increases the chance that users install or invoke the tool without understanding that it can read on-screen secrets, access clipboard contents, and automate destructive interactions.

Missing User Warnings

High
Confidence
96% confidence
Finding
The README explicitly states that screenshot filtering is set to 'none', meaning captured images may include any visible on-screen content, yet it does not pair this with a clear warning about credential, personal, financial, or proprietary data exposure. Given this skill's purpose is desktop automation, unfiltered screenshots materially increase the risk of collecting and transmitting sensitive information from the user's active session.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The file provides screenshot capture and clipboard read/write capabilities with no user-facing disclosure, consent, or indication when sensitive desktop contents are being accessed. In a cross-platform computer-use skill, this is especially dangerous because screenshots and clipboard contents often contain credentials, private messages, tokens, and other sensitive data unrelated to the intended task.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Application launching is performed silently and directly from agent-controlled input, giving the runtime the ability to open programs or trigger workflows without informing the user. In this skill’s context, that capability compounds with input automation and screen access, enabling stealthy execution chains such as opening terminals, password managers, browsers, or system tools and then manipulating them.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The helper performs unrestricted keyboard and mouse automation, including hotkeys, typing, clicks, drags, and held keys, with no confirmation, rate limiting, or safety boundaries. Given the skill is specifically a computer-use runtime, this is highly dangerous: an injected or malicious caller can drive arbitrary GUI workflows, approve prompts, alter system settings, exfiltrate data, or execute destructive actions as the user.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This code reads the current clipboard, overwrites it with attacker-controlled text, pastes via simulated keystrokes, and then restores the prior contents, all without any consent, notification, or policy enforcement in this layer. In a computer-control skill, clipboard contents can include passwords, tokens, API keys, wallet addresses, or other sensitive data, so silent access and automated paste can directly enable data theft or unintended command/input injection into privileged applications.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
This code captures screenshots programmatically without any visible indicator, user confirmation, or access control visible in this file. In a cross-platform computer-use agent, screenshots can expose emails, chats, documents, MFA prompts, credentials, and other sensitive on-screen data, making silent capture a meaningful privacy and data-exfiltration risk.

Missing User Warnings

High
Confidence
99% confidence
Finding
Permission requests are approved with no warning, prompt, or confirmation, so the user receives no opportunity to review what access is being requested. In the context of a cross-platform computer-use runtime, silent approval materially increases the risk of unauthorized interaction with sensitive applications, data exposure, and unintended privileged actions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README documents capabilities for screenshot capture, clipboard access, app launching, and keyboard/mouse control, but it does not prominently warn users about the privacy and system-control risks of granting these permissions. In a computer-use skill, those permissions enable broad access to sensitive on-screen data and interactive control of the host, so under-disclosure increases the chance of unsafe installation or misuse.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly advertises screenshot capture, clipboard access, and other desktop-control capabilities but does not prominently warn users that the skill can collect sensitive on-screen data and clipboard contents. For a computer-use skill, these permissions are expected, but failing to clearly disclose the privacy implications increases the risk of uninformed installation and misuse.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal