Back to skill

Security audit

Computer Use Linux

Security checks across malware telemetry and agentic risk

Overview

This is a real Linux desktop-control skill, but its standalone runtime auto-grants powerful screen, input, app, and clipboard permissions without an actual user approval step.

Install only if you intentionally want an agent to control a trusted Linux desktop session. Treat it as high-privilege: it can see unredacted screen contents, use mouse and keyboard input, read or write clipboard data when requested, launch already-granted apps, and install Python packages on first run. Review or change the auto-approval behavior before using it around sensitive apps or private data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises and instructs use of capabilities including shell execution, network access, environment access, and file reads, yet declares no permissions. This creates a transparency and policy-enforcement gap: users or platforms may treat the skill as lower risk than it actually is, increasing the chance that powerful operations are executed without appropriate review or gating.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The skill description emphasizes packaging and bootstrap characteristics, but the underlying behavior exposes broad computer-control functions including keyboard/mouse automation, clipboard access, process launching, app/window enumeration, and permission workflows. That mismatch is dangerous because it can cause reviewers or users to underestimate that this is effectively a high-privilege desktop automation skill capable of sensitive actions on the host.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises powerful desktop-control capabilities including screenshots, keyboard/mouse input, clipboard access, app launch, and automatic dependency installation, but it does not present a prominent risk warning, consent model, or safe-use guidance near those features. In the context of an agent skill, this can normalize installation and use of a component that can access sensitive on-screen data and control the host system, increasing the chance of unsafe deployment or user surprise.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README advertises capabilities such as screenshots, keyboard/mouse control, clipboard access, app launch, and window inspection, but does not prominently warn users that the skill can observe sensitive data and take impactful actions on the host. For a desktop-control skill, missing privacy and system-impact warnings increases the chance of unsafe installation or misuse, especially because the tool is positioned as easy to install and run.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README advertises powerful desktop-control capabilities including screenshots, keyboard/mouse input, clipboard access, and app launch, but it does not clearly warn users that these features can capture sensitive data and affect the host system. In a computer-use skill, these are expected capabilities, but missing risk disclosure increases the chance of unsafe deployment or uninformed consent.

Missing User Warnings

High
Confidence
98% confidence
Finding
The README explicitly states that screenshot filtering is set to 'none' yet does not warn that screenshots may include credentials, personal data, confidential documents, or other sensitive on-screen content. Because this skill is designed for full desktop observation/control, the absence of filtering combined with no prominent warning materially raises privacy and data-exposure risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
These routines expose full-screen capture capability and elsewhere the file also supports clipboard access, enabling collection of sensitive on-screen and copied data such as credentials, messages, tokens, and documents. In a computer-use skill this capability is core functionality, but the absence of any consent, scoping, redaction, or policy enforcement makes it privacy-dangerous if the skill is invoked inappropriately or by a compromised agent.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The open_app helper allows launching arbitrary local executables or desktop entries without any user-facing confirmation, policy check, or restriction to approved apps. In this skill context, application launching is expected, but unrestricted launch increases the blast radius of any misuse by enabling execution of powerful system tools or untrusted binaries present on the host.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This command surface can synthesize keystrokes, mouse actions, drags, scrolling, and clipboard writes directly into the user's desktop session with no local safety interlocks. In a computer-use runtime this is the intended feature set, but it is highly sensitive because a malicious or compromised controller could enter commands, approve prompts, alter documents, exfiltrate data via UI flows, or manipulate security settings.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code automatically creates a virtual environment, bootstraps pip, upgrades pip, and installs packages from requirements.txt without any explicit user-facing notice or consent. In a computer-use skill, this silently triggers network access and code installation on the host, which expands trust to external package sources and can surprise users or administrators, especially if dependencies change or a package source is compromised.

Missing User Warnings

High
Confidence
98% confidence
Finding
The session context auto-approves every resolved, not-yet-granted app permission request and merges in all requested flags without any user confirmation, policy enforcement, or allowlist restriction. In a computer-use skill, this effectively removes the safety boundary around which applications and capabilities the agent may control, enabling unintended access to sensitive apps, displays, clipboard data, or broader automation privileges.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
lastScreenshotDims?: ScreenshotDims
}

function autoApprovePermission(req: CuPermissionRequest): CuPermissionResponse {
  const granted = req.apps
    .filter(app => app.resolved && !app.alreadyGranted)
    .map(app => ({
Confidence
92% confidence
Finding
autoApprove

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
getDisplayPinnedByModel: () => state.displayPinnedByModel ?? false,
    getDisplayResolvedForApps: () => state.displayResolvedForApps,
    getLastScreenshotDims: () => state.lastScreenshotDims,
    onPermissionRequest: async req => autoApprovePermission(req),
    onAllowedAppsChanged: (apps, flags) => {
      state.allowedApps = [...apps]
      state.grantFlags = flags
Confidence
96% confidence
Finding
autoApprove

Unpinned Dependencies

Low
Category
Supply Chain
Content
mss>=10.1.0
Pillow>=11.3.0
pyautogui>=0.9.54
psutil>=7.0.0
Confidence
94% confidence
Finding
mss>=10.1.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
mss>=10.1.0
Pillow>=11.3.0
pyautogui>=0.9.54
psutil>=7.0.0
python-xlib>=0.33
Confidence
97% confidence
Finding
Pillow>=11.3.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
mss>=10.1.0
Pillow>=11.3.0
pyautogui>=0.9.54
psutil>=7.0.0
python-xlib>=0.33
Confidence
94% confidence
Finding
pyautogui>=0.9.54

Unpinned Dependencies

Low
Category
Supply Chain
Content
mss>=10.1.0
Pillow>=11.3.0
pyautogui>=0.9.54
psutil>=7.0.0
python-xlib>=0.33
Confidence
96% confidence
Finding
psutil>=7.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
Pillow>=11.3.0
pyautogui>=0.9.54
psutil>=7.0.0
python-xlib>=0.33
Confidence
93% confidence
Finding
python-xlib>=0.33

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
project/src/lib/execFileNoThrow.ts:9