ClawHub

Cross Platform Computer Use Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate desktop-control skill, but it silently grants powerful screen, clipboard, app, and input permissions that users would reasonably expect to approve manually.

Install only in a trusted local desktop session. Assume the skill can see visible screen contents, read or modify clipboard text when granted through its own flow, launch applications, and drive the GUI. Review or patch the permission flow before using it with browsers, terminals, private documents, financial apps, credentials, or other sensitive workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (39)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documentation instructs use of shell commands, reads environment-dependent paths like $HOME, accesses local files under ~/.codex/skills, and performs network-enabled package installation via npm install, yet it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: users and hosting systems cannot accurately assess or constrain what the skill needs before execution, increasing the risk of unexpected code execution, dependency fetching, or local data exposure.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The session context unconditionally approves permission requests for any resolved app and merges requested capability flags without any user mediation or policy enforcement. In a computer-use runtime, this lets an agent expand its access surface to local applications autonomously, enabling unintended app control and potentially sensitive data access if a prompt or tool invocation is manipulated.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
This code auto-approves application access capabilities with no review step, which defeats the purpose of a permission boundary. Because the skill is a cross-platform computer-use component, the context makes this more dangerous: the agent is specifically designed to interact with the local desktop, so silent grants can directly translate into unauthorized UI control or access to sensitive apps.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The executor can enumerate installed and running applications and launch arbitrary apps by bundle ID. In a cross-platform bundling/selection skill, this exceeds a narrow runtime-selection role and increases the ability to profile the host and drive local application behavior without clear scope restriction.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code reads the current clipboard, overwrites it with attacker-controlled text, pastes it, and then attempts to restore the original contents. Clipboard data often contains passwords, tokens, or other sensitive information, so both reading and transient replacement create confidentiality and integrity risks, especially without user awareness.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The session context unconditionally auto-approves permission requests for any resolved app and merges requested flags without any user mediation. In a computer-use skill, permissions govern what applications the agent may control, so silent approval weakens a key trust boundary and can allow unintended access to local apps and capabilities.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
`onPermissionRequest` directly returns `autoApprovePermission(req)`, meaning all permission requests are granted programmatically with no user approval path. In the context of a cross-platform computer-use runtime, this makes the agent's access-expansion autonomous and materially increases the risk of unauthorized interaction with sensitive applications or OS features.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The session context auto-approves requested app permissions for all resolved apps without any user mediation, policy enforcement, or risk-based restriction. In a computer-use runtime, this effectively removes a key safety boundary and can let an agent expand its access to additional applications silently, increasing the chance of unauthorized interaction with sensitive apps and data.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Binding onPermissionRequest directly to autoApprovePermission means permission elevation is granted automatically during normal session operation, despite the skill's stated packaging/runtime-selection purpose not requiring silent permission escalation. This creates unnecessary privilege expansion in a component that should be minimizing behavior, making the overall skill more dangerous than its declared role suggests.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The helper enumerates installed applications from registry keys and all running processes, which exposes broad host inventory data beyond what is strictly necessary for basic input automation. In an agent skill, this increases reconnaissance capability and can reveal sensitive software presence, user tooling, security products, and active workflows to an upstream controller.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The session context automatically grants permissions for every resolved app request without any user mediation, policy gate, or trust validation. In a computer-use skill, this effectively removes a core security boundary and can allow the agent to gain control over applications beyond what a user explicitly approved, increasing the risk of unintended actions, data access, or lateral abuse through privileged apps.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises powerful desktop-control capabilities including screenshots, keyboard/mouse input, app launch, and clipboard access, but does not place a clear, prominent warning near that feature list about privacy, unintended system actions, or sensitive-data exposure. In a computer-use skill, this omission increases the chance that users enable or deploy the tool without understanding it can capture secrets, manipulate the desktop, or affect other applications.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The README advertises powerful desktop-control features including screenshots, keyboard/mouse input, clipboard access, app inspection, and app launch, but it does not prominently warn users about the privacy, integrity, and system-impact risks of granting an agent these capabilities. In the context of an agent skill, this can lead to unsafe deployment because users may install or enable it without understanding that it can observe sensitive data and perform high-impact actions on their desktop.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly advertises unrestricted screenshot and clipboard access and even notes that screenshot filtering is set to none, but it does not provide a prominent privacy warning, consent requirement, or safe-use guidance. In a computer-control skill, these capabilities can expose highly sensitive data such as passwords, tokens, messages, documents, and clipboard secrets, so under-warning users meaningfully increases misuse risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This command surface exposes screenshot capture and clipboard read/write operations with no in-code consent prompt, policy gate, redaction, or visibility mechanism. In a computer-use skill, these primitives can capture secrets, tokens, personal data, and sensitive on-screen content from any accessible X11 session, making privacy impact substantial if the caller is untrusted or compromised.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
Application launching is performed without any user-facing disclosure, confirmation, or policy enforcement, enabling silent process execution through the helper. In the context of an automation runtime, that expands the blast radius of a compromised or overprivileged caller by allowing stealthy execution of local applications and potentially attacker-chosen binaries.

Missing User Warnings

High
Confidence
99% confidence
Finding
Permission requests are granted without warning, confirmation, or contextual friction, so any component able to trigger a permission request can obtain access silently. In a local computer-use skill, that creates a meaningful security boundary failure because the model can gain control over installed applications and associated data without the user realizing access was expanded.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly advertises clipboard read/write capability, but it does not clearly warn users that clipboard contents may contain sensitive data such as passwords, tokens, personal messages, or copied secrets. In a computer-use skill, clipboard access materially increases privacy and data-exfiltration risk because the runtime can inspect and overwrite user clipboard contents during normal operation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README states that screenshot filtering is set to 'none' and that screenshots are not compositor-level restricted, but it does not provide an explicit user-facing warning about the privacy consequences. In a computer-use skill, unfiltered screenshots can capture emails, chats, passwords, documents, MFA prompts, and other on-screen sensitive information across applications, making this especially dangerous in an agent-controlled environment.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly advertises screenshots, frontmost app inspection, clipboard access, and related desktop-control features, but does not give a clear privacy warning about how these capabilities can expose passwords, messages, tokens, or other sensitive user data. In a computer-use skill, these are highly sensitive permissions, so omission of a prominent warning materially increases the risk of unsafe deployment or uninformed user consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README states that screenshot filtering is disabled ('screenshotFiltering: none') and clarifies that screenshots are not compositor-filtered, but it does not pair this with a strong warning that all visible on-screen content may be captured, including confidential documents, credentials, chats, or regulated data. Because this project is specifically designed for desktop observation and control, unfiltered capture substantially increases privacy and data-exposure risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises highly sensitive capabilities—screen capture, clipboard access, keyboard/mouse control, and app launching—without a clear, explicit warning about privacy exposure, destructive potential, or the need for careful user consent before use. In a computer-use skill, these powers are expected, but documenting them without prominent risk disclosure can normalize dangerous deployment and mislead users about the level of access being granted.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Clipboard contents are accessed and overwritten with no in-code notice, consent flow, or other user-facing disclosure. That makes sensitive data exposure and user confusion more likely, because clipboard operations are invisible and may affect unrelated applications.

Missing User Warnings

High
Confidence
99% confidence
Finding
Permission requests are automatically approved without warning, confirmation, or compensating safeguards visible in this file. Because this skill is specifically designed for computer control, the absence of a user-facing approval step is more dangerous than in ordinary application logic: it can let an agent silently gain control over additional apps and capabilities on the user's machine.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The helper exposes both clipboard read and clipboard write primitives without any built-in disclosure, consent, or policy enforcement. In a computer-use skill, clipboard contents often contain passwords, tokens, personal data, or copied secrets, so silent access materially increases exfiltration and tampering risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal