Deskuse

Security checks across malware telemetry and agentic risk

Overview

This skill is a real desktop-control tool, but it silently auto-approves powerful app and clipboard permissions, so it should be reviewed before installation.

Install only if you trust the publisher and are comfortable giving an agent broad control over your active desktop. Use a dedicated account or sandbox where possible, avoid sensitive apps while it is running, and be aware that app, clipboard, and system-key permissions may be granted automatically rather than through a clear approval prompt.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (53)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: if os.path.exists(target): subprocess.Popen([target]) return subprocess.Popen([target]) def read_clipboard() -> str:
Confidence: 94% confidence
Finding: subprocess.Popen([target])

subprocess module call

Medium

Category: Dangerous Code Execution
Content: if not target: raise RuntimeError("Missing app identifier") if target.endswith(".desktop") and os.path.exists(target): subprocess.Popen(["gtk-launch", Path(target).stem]) return if os.path.exists(target): subprocess.Popen([target])
Confidence: 88% confidence
Finding: subprocess.Popen(["gtk-launch", Path(target).stem])

subprocess module call

Medium

Category: Dangerous Code Execution
Content: subprocess.Popen(["gtk-launch", Path(target).stem]) return if os.path.exists(target): subprocess.Popen([target]) return subprocess.Popen([target])
Confidence: 93% confidence
Finding: subprocess.Popen([target])

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill advertises and instructs use of shell, network, environment, and file-access capabilities but does not declare permissions, which undermines transparency and any policy/approval layer that depends on explicit capability disclosure. In a cross-platform computer-use skill that installs dependencies and launches runtime components, undeclared capabilities materially increase the risk of unexpected execution, filesystem access, and external downloads.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: The documented purpose frames the skill as a packaging/selection wrapper, but the actual behavior includes powerful remote computer-control features such as input injection, screenshots, clipboard access, application enumeration, and app launching. This mismatch is dangerous because users or automated reviewers may approve the skill under a much narrower trust assumption than is warranted, enabling broad host interaction and data exposure once installed.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The permission flow is implemented as unconditional approval for all resolved apps, which defeats the purpose of a permission request boundary. In a computer-use skill that can control local applications, this enables silent expansion of access to additional apps without meaningful user consent, increasing the risk of unauthorized actions and data exposure.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The session context unconditionally auto-approves permission requests by granting all resolved apps and merging all requested flags without any user mediation. In a computer-use runtime, this removes a critical consent boundary and can let an agent gain unintended control or access to applications and related capabilities on the user's macOS system.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The code spreads req.requestedFlags directly into the granted permission result, effectively honoring whatever capability flags the requester asks for. Because this skill is for cross-platform computer use rather than a narrowly scoped permission broker, automatically escalating requested grant flags is unjustified and increases the reachable privilege surface.

Description-Behavior Mismatch

Medium

Confidence: 99% confidence
Finding: The session automatically grants permissions for every resolved app that is not already granted, with no user confirmation, policy check, or allowlist enforcement. In a computer-use runtime, this can let an agent expand its control surface to additional local applications and perform unintended actions under the user's account.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README advertises powerful desktop-control capabilities including screenshots, keyboard/mouse injection, clipboard access, app launching, and automatic dependency installation, but it does not clearly warn users about the privacy and system-integrity impact of granting and using those capabilities. In the context of a computer-use skill, this omission increases the chance that users will install or run it without understanding that it can observe sensitive data and modify the host system state.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README advertises powerful desktop-control features including screenshots, keyboard/mouse input, clipboard access, app discovery, and app launching, but it does not present an equally prominent warning about privacy, destructive actions, or host compromise risk. In a computer-use skill, this omission is security-relevant because users may install or enable it without understanding that it grants broad surveillance and control over their active desktop session.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The helper can capture screenshots of the full display and elsewhere exposes clipboard reads, with no user-facing notification, consent, or redaction controls. In a computer-use skill, this is especially sensitive because the purpose is remote observation/control of a live desktop, so these features can expose credentials, documents, tokens, and private conversations.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code performs unrestricted keyboard, mouse, drag, scroll, and text-entry actions without confirmation, rate limiting, or safety interlocks. In this skill's context, that means a caller can drive arbitrary GUI workflows such as approving prompts, modifying files, sending messages, or changing system settings, making the capability materially dangerous.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The helper exposes application launch functionality without any disclosure, approval, or restriction on what may be started. Combined with the rest of the runtime's desktop control features, silent process launch broadens the attack surface from observation to active execution and post-launch manipulation.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: This code reads the current clipboard, overwrites it with arbitrary text, triggers a paste operation, and then restores the prior clipboard contents, all without any user-facing disclosure or consent check. In a computer-use runtime, clipboard contents may contain sensitive data such as passwords, tokens, or personal information, so silent access and transient replacement create real privacy and integrity risks even if the feature is intended to improve typing reliability.

Missing User Warnings

High

Confidence: 99% confidence
Finding: Permission requests are silently approved with no user-facing confirmation, so any component invoking this flow can obtain access to resolved applications without notice. In the context of a cross-platform computer-use runtime, this is especially dangerous because app-level permissions are a key safeguard against unauthorized desktop automation and lateral access to sensitive data.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: This README explicitly documents clipboard read/write capability and states that screenshot filtering is disabled, but it does not present a prominent privacy/security warning about the sensitivity of clipboard contents and full-screen captures. In a computer-use skill, these capabilities can expose passwords, tokens, personal data, or other sensitive on-screen information, so the omission meaningfully increases the risk of unsafe deployment or user misunderstanding.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation describes mouse control, keyboard input, app launch, and display interaction but does not clearly warn that the skill can actively manipulate the host system. In the context of an agent-integrated MCP server, that omission increases the risk of unsafe deployment because these capabilities can execute unintended actions in other applications and affect system integrity.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation describes mouse control, keyboard input, app launch, and display interaction but does not clearly warn that the skill can actively manipulate the host system. In the context of an agent-integrated MCP server, that omission increases the risk of unsafe deployment because these capabilities can execute unintended actions in other applications and affect system integrity.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README advertises screenshot and clipboard read/write capabilities, which are inherently privacy-sensitive because they can capture secrets, personal data, tokens, and other on-screen or copied content. In a computer-use skill this functionality may be expected, but the lack of a prominent user warning, consent model, or data-handling guidance increases the risk of accidental over-collection or misuse.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README states that multi-character text may be entered by writing to the clipboard and pasting, but it does not clearly warn users that this will overwrite clipboard contents. That can expose or destroy previously copied sensitive data and may unexpectedly transfer secrets into other applications if users are unaware of the behavior.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: This code explicitly reads the current clipboard, overwrites it with arbitrary text, triggers a paste action, and then attempts to restore the prior contents. In a computer-control skill, that creates real privacy and integrity risk because sensitive clipboard data can be accessed and transiently replaced without any user-facing disclosure, consent gate, or policy restriction.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The executor can capture screenshots of displays through the Python helper with no visible notice, scoping restriction, or confirmation in this layer. In a remote computer-use skill, screen captures can expose highly sensitive information such as credentials, messages, documents, and other apps' contents, making undisclosed capture a genuine data-exposure risk.

Missing User Warnings

High

Confidence: 98% confidence
Finding: Permission requests are approved silently with no warning, prompt, or confirmation, so the user has no opportunity to review which apps or capabilities are being authorized. In a desktop-control skill, silent approval materially increases the risk of unauthorized application interaction, privacy loss, and misuse of system automation features.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The runtime exposes full-display and region screenshot capabilities and returns image data as base64 without any in-file consent gating, redaction, or policy enforcement. In a computer-use skill, this is especially sensitive because screenshots can capture credentials, messages, tokens, and other confidential on-screen data at scale.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal