Back to skill

Security audit

Desktop Control 1.0.0

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent desktop automation, but it needs review because it can control the live desktop, read screenshots and clipboard data, and act with limited default confirmation.

Install only if you intentionally want an agent to control your real desktop. Keep failsafe enabled, use approval mode for sensitive workflows, close private windows, avoid clipboard reads unless necessary, and supervise any action that submits forms, changes files, saves screenshots, launches apps, or posts through logged-in accounts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The skill’s declared purpose emphasizes mouse, keyboard, and screen control, but the document also exposes broader capabilities such as window enumeration/activation, clipboard read/write, and OS-level launching via hotkeys. That mismatch matters because these additional primitives can be combined to access sensitive data, manipulate other applications, and trigger unintended system actions beyond what a user may reasonably expect from the description.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill’s stated purpose is mouse, keyboard, and screen automation, but it also exposes window enumeration/activation and clipboard access. These extra capabilities expand the attack surface beyond the declared scope and can be abused to inspect user context, switch to sensitive applications, or manipulate copied data without clear disclosure.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Reading from the system clipboard is a sensitive capability because it may expose passwords, tokens, personal data, or copied enterprise secrets. In a desktop-control skill, this is not clearly necessary for core mouse/keyboard/screen automation and therefore represents unjustified access to sensitive user data.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The guide promotes broad natural-language task execution and explicitly says the agent 'figures out how to do it autonomously' without defining scope boundaries, confirmation requirements, or forbidden actions. In a desktop-control skill, unconstrained NL invocation can enable unintended or unsafe actions across arbitrary applications, especially when combined with planning, vision, and input automation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide states the agent takes screenshots and performs screen analysis but provides no privacy warning or handling guidance for captured screen contents. Screenshots may contain passwords, personal data, confidential documents, tokens, or chats, and storing or processing them without safeguards materially increases leakage risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The autonomous text-entry examples include typing into editors and composing emails while saying the agent 'figures out where to type,' which risks sending or inserting sensitive or incorrect content into the wrong window or recipient. Without confirmation and target validation, this can cause data disclosure, accidental communication, or harmful actions performed under the user's identity.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documented planning flow includes opening and saving files without warning that user files may be modified, overwritten, or saved to unintended locations. In an autonomous desktop agent, file operations can cause data loss, corruption, or persistence of sensitive content if paths and save targets are inferred incorrectly.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The social-media-posting example automates publication of user content to an external platform without warning about outbound transmission, permanence, or account misuse. In a desktop automation context, this can expose private media or text, post from the wrong account, or create reputational and compliance harm with a single unintended action.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The guide documents disabling the failsafe as a 'fast mode' option without prominently warning that this removes an important brake on uncontrolled mouse/keyboard automation. If the planner or screen interpretation goes wrong, the agent may continue interacting with arbitrary UI elements, causing destructive or hard-to-stop actions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The quick-reference includes a 'Replace all' workflow that can trigger bulk modifications without any warning, preview step, or backup guidance. In a desktop automation skill, this is more dangerous than ordinary documentation because the examples are designed to execute UI actions directly and could cause large-scale unintended edits or data loss if reused blindly.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Advertising screenshot capture and clipboard access without a prominent warning understates the risk of collecting secrets visible on screen or stored in the clipboard, such as passwords, tokens, personal data, or confidential documents. In a desktop automation skill, these features are especially sensitive because they enable broad observation of user activity and data without necessarily making that risk obvious.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The examples demonstrate actions that can change files, submit forms, move data, and interact with live desktop state, but they do not prominently warn about the risk of unintended clicks, data overwrite, accidental submission, or manipulation of the wrong window. Because desktop automation acts directly on the user’s environment, even benign examples can normalize unsafe usage patterns if they omit guardrails.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The screenshot function can capture the full screen or a region and save it directly to disk without approval by default. This can silently persist sensitive information such as emails, credentials, documents, or internal dashboards, increasing the risk of unintended collection and later exfiltration.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Writing to the clipboard without notice can overwrite user data and facilitate tricking users or downstream applications into pasting attacker-controlled content. Because clipboard contents are often transient and trusted by users, silent replacement can disrupt workflows or contribute to credential/command injection scenarios.

Missing User Warnings

High
Confidence
97% confidence
Finding
The exported convenience functions instantiate a global controller with default settings, meaning desktop actions occur with require_approval=False unless the caller manually constructs a safer controller first. In a skill that can move the mouse, click, type, trigger hotkeys, and capture screenshots, this makes powerful workstation control available through a minimal API with no user-facing safeguard by default.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The agent automatically captures screenshots before and after each action step, which can collect sensitive desktop contents such as emails, messages, documents, credentials, or other private information without any explicit user-facing disclosure or consent flow. In a desktop automation skill, this is especially risky because tasks may traverse arbitrary applications and windows, making broad screen collection more dangerous than in a narrowly scoped UI tool.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This step writes a screenshot image to disk using a default filename without any explicit notice, consent, retention policy, or secure storage handling. Persisting desktop screenshots increases exposure because sensitive visual data remains on the filesystem after execution and may be accessed later by other users, processes, backups, or malware.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.