Windows UI Automation
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is transparent and purpose-aligned, but it gives the agent broad ability to type and click anywhere on the Windows desktop without built-in scope or confirmation limits.
Install only if you are comfortable letting the agent control your active Windows desktop. Keep sensitive apps closed or unfocused, ask the agent to verify the target window with screenshots, and require confirmation before any click or keystroke that could submit, delete, purchase, send, or change settings.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked at the wrong time or against the wrong window, the agent could click buttons, type text, submit forms, or trigger changes in sensitive desktop apps.
This grants broad desktop input authority. The skill does not clearly require confirmation or target-window checks before actions that could affect arbitrary local applications.
Control the Windows desktop environment programmatically. ... Mouse: Move, click ... Keyboard: Send text, press special keys
Use only for explicit user-directed desktop automation. Require screenshot/target-window verification and user confirmation before typing, clicking, submitting, deleting, or changing settings.
Users may not realize they are running local PowerShell script files from an unknown source.
The supplied metadata under-describes provenance and executable content, while the manifest and SKILL.md include runnable PowerShell helper files. The files are visible here, so this is a provenance/review-context gap rather than hidden code.
Source: unknown ... No install spec — this is an instruction-only skill. ... Code file presence: No code files present
Inspect the included .ps1.txt files before use, and update metadata to declare Windows/PowerShell requirements and the helper scripts.
The script can generate real mouse clicks in the active Windows session.
The script compiles an inline C# wrapper and calls native Windows mouse APIs. This is expected for mouse automation, but it is still native desktop input execution.
Add-Type -TypeDefinition $source ... [DllImport("user32.dll")] ... mouse_eventRun it only in a controlled desktop session and avoid invoking it while sensitive windows are focused.