Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
Computer Use Windows
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is a disclosed Windows desktop-automation tool, but it gives an agent broad control over your screen, keyboard, mouse, clipboard, and app launching, so it needs careful review before use.
Install only if you intentionally want an agent to control a Windows desktop. Prefer using a VM or separate low-privilege Windows account, close sensitive apps, avoid showing secrets, and verify the runtime and MCP gating on a real Windows machine before relying on it for important tasks.
Static analysis
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
#
ASI02: Tool Misuse and Exploitation
High
What this means
An agent using this skill could view the desktop, type, click, paste, launch apps, or interact with accounts already open on the machine.
Why it was flagged
These are broad desktop-control capabilities that can read sensitive on-screen or clipboard data and perform actions in local applications as the user.
Skill content
standalone MCP server for screenshots, mouse, keyboard, app launch, window/display mapping, and clipboard
Recommendation
Use only on a trusted Windows profile, keep it supervised, close sensitive apps, and do not run it where unintended clicks or keystrokes could cause harm.
#
ASI02: Tool Misuse and Exploitation
Medium
What this means
If the automation misbehaves, the user may have fewer immediate ways to stop mouse and keyboard actions.
Why it was flagged
The runtime disables PyAutoGUI's built-in mouse-corner emergency stop, reducing one standard manual interruption mechanism for desktop automation.
Skill content
pyautogui.FAILSAFE = False
Recommendation
Confirm there is an external stop mechanism before use, such as stopping the MCP process, using a separate keyboard interrupt, or running inside a controlled VM/session.
#
ASI02: Tool Misuse and Exploitation
Medium
What this means
If the MCP-layer controls are incomplete or fail, the agent may see or act on windows that the user did not intend to expose.
Why it was flagged
The runtime does not provide native screenshot filtering; safety depends on MCP-layer gating for a high-impact desktop-control tool.
Skill content
the current runtime reports `screenshotFiltering: none`, so action gating is handled at the MCP layer
Recommendation
Avoid displaying secrets while using the skill and verify the MCP gating behavior on a real Windows host before relying on it.
#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means
First run may execute package installation code from public package repositories.
Why it was flagged
The runtime downloads/installs Python dependencies on first launch. This is disclosed and central to the purpose, but it adds supply-chain exposure.
Skill content
On first launch, the project will automatically: ... bootstrap `pip` if needed ... install the Python runtime dependencies from `runtime/requirements.txt`
Recommendation
Run in a controlled environment and consider pinning or pre-auditing dependencies before production use.
#
ASI05: Unexpected Code Execution
Low
What this means
The skill can start local processes as part of its runtime.
Why it was flagged
The static scan reports child_process execution. For this skill, local process spawning is expected for building, launching, and bridging to the Python runtime.
Skill content
const child = execFile(
Recommendation
Keep use limited to the bundled project directory and review changes before running updated versions.
#
ASI06: Memory and Context Poisoning
Medium
What this means
Sensitive information visible on screen can be captured and made available to the agent session.
Why it was flagged
Screenshots are encoded and returned through the helper, meaning screen contents can enter the agent/MCP context.
Skill content
base64_data = base64.b64encode(buffer.getvalue()).decode("ascii")Recommendation
Do not use this while secrets, private messages, financial data, or privileged admin windows are visible.
#
ASI03: Identity and Privilege Abuse
Medium
What this means
The agent may be able to act as the logged-in user in already-authenticated desktop applications.
Why it was flagged
The skill operates inside the user's Windows session and can interact with apps using the user's existing local privileges.
Skill content
Windows does not require the same Accessibility / Screen Recording prompts as macOS, but desktop control can still be limited by: elevated windows when the agent is not elevated
Recommendation
Run with the least-privileged Windows account practical, and avoid elevating the agent unless absolutely necessary.