Back to skill

Security audit

Computer Use Windows

Security checks across malware telemetry and agentic risk

Overview

This Windows computer-control skill is purpose-aligned, but it gives an agent broad desktop, screenshot, app, and clipboard authority without a real user approval step.

Install only if you are comfortable letting an agent control a Windows desktop session. Prefer a dedicated VM or non-sensitive Windows profile, close secrets and private documents before use, and avoid enabling it on machines with production access, financial accounts, or privileged sessions. Review the dependency bootstrap path because first run installs npm/pip packages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises and instructs use of shell, network, and environment-dependent behavior (`npm install`, build, bootstrap runtime) without declaring corresponding permissions. This creates a transparency and policy-enforcement gap: reviewers or platforms may underestimate what the skill can do, while execution still enables package download, command execution, and access to host environment state.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The description frames the skill mainly as a standalone runtime/bootstrap mechanism, but the actual behavior includes powerful desktop-control capabilities such as screenshots, keyboard/mouse control, clipboard access, application enumeration, and window/session interaction. That mismatch is dangerous because it obscures the true sensitivity of the skill, increasing the chance of unsafe approval or use on hosts containing secrets or privileged sessions.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The session context automatically grants every resolved app request and merges all requested permission flags without any user approval, policy gate, or allowlist enforcement. In a computer-use skill, this effectively removes the trust boundary around application control and can let the agent expand its access to installed apps and capabilities silently.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README advertises screenshots, mouse/keyboard control, clipboard access, app launch, and app/window inspection without an equally prominent warning that these capabilities can expose sensitive data and perform destructive user actions. For a desktop-control skill, weak disclosure increases the chance of unsafe deployment or accidental over-trust by users and integrators, especially since the runtime self-bootstrap installs dependencies and enables broad control on first use.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README advertises highly sensitive capabilities—screen capture, clipboard access, keyboard/mouse control, and application launching—without a clear user-facing warning about privacy, unintended input, or system-impact risks. In a computer-control skill, omission of such warnings increases the chance that users enable or run it without understanding that it can observe secrets on screen, read copied data, and drive privileged or destructive actions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README explicitly states that screenshot filtering is set to 'none', meaning screenshots may include any visible sensitive content, yet it does not pair that statement with a strong warning to users. Because this skill is specifically designed for remote computer use and screenshot collection, the lack of filtering combined with missing warnings materially increases privacy and data-exposure risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file implements screenshot capture and clipboard read/write primitives with no consent flow, warning, redaction, or policy enforcement. In a computer-use skill, these capabilities are especially sensitive because they can expose passwords, MFA codes, confidential documents, and other on-screen or clipboard secrets from the user's active session.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The runtime can launch applications and perform broad UI automation actions without any user-facing approval, confirmation, or restrictions. In the context of a top-level Windows computer-use skill, this materially increases danger because it enables arbitrary interaction with the host desktop, including opening tools, navigating sensitive apps, and chaining actions with screen/clipboard access for full-session compromise.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This code reads the current clipboard, overwrites it with arbitrary text, pastes via Ctrl+V, and then restores the prior clipboard contents, all without any visible consent, notification, or scope restriction. In a computer-control skill, the clipboard often contains sensitive material such as passwords, tokens, copied documents, or personal data, so silent access materially increases the risk of data exposure and covert manipulation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The screenshot path captures full display contents and returns image data without any visible disclosure, confirmation, or redaction controls in this layer. Because on-screen data can include credentials, messages, financial data, or other sensitive information, unrestricted capture in a remote computer-use skill creates a meaningful privacy and data-exfiltration risk.

Missing User Warnings

High
Confidence
99% confidence
Finding
Permission requests are approved with no user-facing warning, consent, or audit checkpoint, which is especially dangerous in a Windows computer-use runtime that can interact with desktop applications. This enables silent privilege expansion within the skill's operational scope and undermines the expected safeguard that sensitive app access should be explicitly authorized.

Unpinned Dependencies

Low
Category
Supply Chain
Content
mss>=10.1.0
Pillow>=11.3.0
pyautogui>=0.9.54
psutil>=7.0.0
Confidence
95% confidence
Finding
mss>=10.1.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
mss>=10.1.0
Pillow>=11.3.0
pyautogui>=0.9.54
psutil>=7.0.0
pywin32>=310
Confidence
98% confidence
Finding
Pillow>=11.3.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
mss>=10.1.0
Pillow>=11.3.0
pyautogui>=0.9.54
psutil>=7.0.0
pywin32>=310
Confidence
94% confidence
Finding
pyautogui>=0.9.54

Unpinned Dependencies

Low
Category
Supply Chain
Content
mss>=10.1.0
Pillow>=11.3.0
pyautogui>=0.9.54
psutil>=7.0.0
pywin32>=310
Confidence
97% confidence
Finding
psutil>=7.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
Pillow>=11.3.0
pyautogui>=0.9.54
psutil>=7.0.0
pywin32>=310
Confidence
97% confidence
Finding
pywin32>=310

Known Vulnerable Dependency: Pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more

Critical
Category
Supply Chain
Confidence
86% confidence
Finding
Pillow

Known Vulnerable Dependency: psutil — 2 advisory(ies): CVE-2019-18874 (Double Free in psutil); CVE-2019-18874 (psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs bec)

High
Category
Supply Chain
Confidence
92% confidence
Finding
psutil

Known Vulnerable Dependency: pywin32 — 2 advisory(ies): CVE-2021-32559 (Integer overflow in pywin32); CVE-2021-32559 (An integer overflow exists in pywin32 prior to version b301 when adding an acces)

High
Category
Supply Chain
Confidence
91% confidence
Finding
pywin32

VirusTotal

51/51 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
project/src/lib/execFileNoThrow.ts:9