Back to skill

Security audit

Computer Use Macos

Security checks across malware telemetry and agentic risk

Overview

This is a real macOS computer-control skill, but it auto-approves powerful app and clipboard permissions instead of requiring clear user approval.

Install only if you are comfortable giving this skill macOS Accessibility and Screen Recording access and letting an agent operate your desktop. Review the source first, run it only in trusted local sessions, avoid sensitive windows or clipboard contents, and be aware that its standalone permission flow auto-grants requested app and clipboard/system-key flags rather than asking you each time.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises shell, network, and environment-driven behavior but does not declare permissions, which weakens transparency and informed consent for a highly privileged automation skill. In this context, the omission is risky because the bundled runtime can build software, install dependencies, and control the host, so users may execute it without understanding the full trust boundary.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The description materially understates the skill's effective capabilities: it is presented as a portable runtime/bootstrap wrapper, but the bundled behavior includes broad desktop surveillance and control primitives plus runtime package installation. That mismatch is dangerous because users may approve or install the skill for a narrow purpose while unknowingly granting a tool that can capture sensitive on-screen data, manipulate apps, and affect the local system across sessions.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The executor reads the current clipboard, overwrites it with arbitrary text, triggers paste, and then restores the previous contents. This creates access to potentially sensitive clipboard data and can leak or interfere with user secrets without any consent, disclosure, or scoping, especially if the clipboard contains passwords, tokens, or personal information.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The session context automatically grants all resolved app permission requests and merges in any requested grant flags without any user approval, policy gate, or allowlist validation. In a computer-use runtime, this is especially dangerous because it can silently expand the agent's ability to interact with additional applications and system surfaces, increasing the blast radius of prompt injection, misuse, or agent mistakes.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The build and run instructions direct the user to execute npm installation, build steps, and a Node entrypoint that can modify the system and bootstrap a Python environment, but they provide no prominent warning about code execution or system changes. This is dangerous because it normalizes running unreviewed code with network access and follow-on dependency installation on the local machine, increasing the chance of accidental compromise or unexpected persistence.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README advertises broad desktop-control capabilities including screenshots, keyboard/mouse input, app launching, window inspection, and clipboard access, but it does not prominently warn users about the privacy and system-safety implications of granting Accessibility and Screen Recording permissions. In a computer-control skill, understated risk communication can lead users to install and authorize a highly privileged tool without understanding that it can observe sensitive data and perform actions on their behalf.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Clipboard read/write and paste behavior happens silently in this code, with no visible notice to the user that their clipboard will be accessed and modified. Silent clipboard manipulation undermines user expectations and can expose sensitive copied data or cause accidental disclosure into the active application.

Missing User Warnings

High
Confidence
99% confidence
Finding
The session context automatically grants requested app permissions by default via onPermissionRequest -> autoApprovePermission(req), with no user confirmation, policy gate, or warning. In a computer-use skill, this is especially dangerous because the runtime can expand its own access to installed applications and requested flags, enabling unintended control of sensitive apps and broader automation without meaningful human approval.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code provides screen-capture and clipboard read/write primitives that can collect or alter highly sensitive user data, including credentials, messages, documents, and tokens. In a computer-use agent skill, these capabilities are especially dangerous because they are exposed as callable commands without any in-code confirmation, per-action disclosure, redaction, or allowlist constraints.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The helper exposes unrestricted keyboard and mouse automation, enabling arbitrary interaction with the user's desktop, including approving prompts, changing settings, sending messages, or triggering destructive actions. In this skill context, that power materially increases risk because it can be chained with screen reading and app discovery to perform full GUI-driven account takeover or data exfiltration.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This code reads the current clipboard, overwrites it with arbitrary text, triggers a simulated Command+V paste, and then restores the prior clipboard contents, all without any in-file user disclosure or consent gating. In a computer-control skill, clipboard contents commonly include passwords, tokens, personal data, and copied secrets, so silent access and modification materially increases the risk of data theft, unintended disclosure, or command injection into another application.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The screenshot path captures display contents through the Python helper with no visible disclosure, notification, or consent mechanism in this file. Because screenshots can expose emails, messages, credentials, financial data, and other sensitive on-screen content, silent capture in a macOS computer-use runtime is a real privacy and data-exfiltration risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This section exposes broad device-control primitives—keyboard input, mouse movement/clicks, drag, scroll, app discovery, app launching, and frontmost-app inspection—via a Python helper, without any user-facing warning or approval flow in this code. In the context of a top-level macOS computer-use skill, these capabilities enable full UI automation that could be abused to execute destructive actions, exfiltrate data, alter settings, or drive other trusted applications on the user's behalf.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code automatically creates a Python virtual environment and installs dependencies on first use without any user-facing disclosure or consent. In a bundled computer-use skill, this behavior can unexpectedly modify the local system state and trigger package installation workflows, which increases supply-chain and transparency risk even if the implementation is not overtly malicious.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill invokes pip upgrade and requirements installation at runtime, which is network-capable behavior and is not surfaced to the user. This creates exposure to dependency confusion, malicious package compromise, or unexpected outbound network activity during normal skill execution, especially because the skill bootstraps itself automatically.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code approves permission requests without any user-facing warning, confirmation dialog, or secondary authorization step. Because this skill is a self-bootstrapping macOS computer-use runtime, silent approval removes the main safety boundary that would normally prevent an agent from broadening its own access during execution.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installer uses `rsync -a --delete` to synchronize into the user's skill directory, which will remove any files in the destination that are not present in the source. If the destination path is broader than intended, misconfigured via `CODEX_HOME`, or already contains user-modified content, running the installer can silently delete data without confirmation or backup. In the context of a self-bootstrapping skill installer, this behavior is more dangerous because installation is expected to be routine and may be run with high trust by users.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
import { DEFAULT_GRANT_FLAGS } from './vendor/computer-use-mcp/types.js';
import { checkComputerUseLock, tryAcquireComputerUseLock } from './computer-use/computerUseLock.js';
function autoApprovePermission(req) {
    const granted = req.apps
        .filter(app => app.resolved && !app.alreadyGranted)
        .map(app => ({
Confidence
88% confidence
Finding
autoApprove

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
getDisplayPinnedByModel: () => state.displayPinnedByModel ?? false,
        getDisplayResolvedForApps: () => state.displayResolvedForApps,
        getLastScreenshotDims: () => state.lastScreenshotDims,
        onPermissionRequest: async (req) => autoApprovePermission(req),
        onAllowedAppsChanged: (apps, flags) => {
            state.allowedApps = [...apps];
            state.grantFlags = flags;
Confidence
95% confidence
Finding
autoApprove

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
project/dist/lib/execFileNoThrow.js:4

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
project/src/lib/execFileNoThrow.ts:9