ClawHub

windows-automation

Security checks across malware telemetry and agentic risk

Overview

This appears to be a genuine Windows automation skill, but it gives broad desktop control and uses unsafe PowerShell command construction that users should review before installing.

Install only if you intentionally want an agent to control a Windows desktop. Use it in a non-sensitive session, avoid running the agent as administrator, keep private content off screen, and require explicit confirmation before screenshots, clicks, typing, URL launches, form submissions, saves, or process kills. Treat all paths, URLs, window titles, typed text, and process names as trusted-only inputs until the PowerShell escaping issues are fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (28)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
ps_cmd += f" -Wait -Timeout {timeout}"

        # 执行PowerShell命令
        result = subprocess.run(
            ["powershell", "-Command", ps_cmd],
            capture_output=True,
            text=True,
Confidence
98% confidence
Finding
result = subprocess.run( ["powershell", "-Command", ps_cmd], capture_output=True, text=True, timeout=timeout + 10 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""
    try:
        ps_cmd = f"Stop-Process -Name '{process_name}' -Force"
        result = subprocess.run(
            ["powershell", "-Command", ps_cmd],
            capture_output=True,
            text=True
Confidence
96% confidence
Finding
result = subprocess.run( ["powershell", "-Command", ps_cmd], capture_output=True, text=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
$wshell.SendKeys("{text}")
        '''

        result = subprocess.run(
            ["powershell", "-Command", ps_script],
            capture_output=True,
            text=True,
Confidence
96% confidence
Finding
result = subprocess.run( ["powershell", "-Command", ps_script], capture_output=True, text=True, timeout=60 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
[Mouse]::SetCursorPos({x}, {y})
            '''

        result = subprocess.run(
            ["powershell", "-Command", ps_script],
            capture_output=True,
            text=True,
Confidence
92% confidence
Finding
result = subprocess.run( ["powershell", "-Command", ps_script], capture_output=True, text=True, timeout=10 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
}}
        '''

        subprocess.run(
            ["powershell", "-Command", ps_script],
            capture_output=True,
            text=True,
Confidence
88% confidence
Finding
subprocess.run( ["powershell", "-Command", ps_script], capture_output=True, text=True, timeout=10 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
[Mouse]::mouse_event(0x0800, 0, 0, {scroll_amount}, 0)
        '''

        subprocess.run(
            ["powershell", "-Command", ps_script],
            capture_output=True,
            text=True,
Confidence
87% confidence
Finding
subprocess.run( ["powershell", "-Command", ps_script], capture_output=True, text=True, timeout=10 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
Write-Output "{output_path}"
        '''

        result = subprocess.run(
            ["powershell", "-Command", ps_script],
            capture_output=True,
            text=True,
Confidence
91% confidence
Finding
result = subprocess.run( ["powershell", "-Command", ps_script], capture_output=True, text=True, timeout=30 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
}}
        '''

        result = subprocess.run(
            ["powershell", "-Command", ps_script],
            capture_output=True,
            text=True,
Confidence
97% confidence
Finding
result = subprocess.run( ["powershell", "-Command", ps_script], capture_output=True, text=True, timeout=30 )

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill is presented as an app launcher but also includes process enumeration and forced termination features, which materially expand its control over the host. In an agent context, this increases abuse potential by enabling reconnaissance of running software and disruption of security tools or user applications.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrase "点击" is extremely generic and can match ordinary conversational requests, causing the Windows automation skill to activate outside clearly intended desktop-control scenarios. In a skill that can move the mouse and simulate input, unintended invocation increases the chance of accidental UI actions, data entry, or destructive clicks in the wrong application context.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrase "自动操作" is broad and ambiguous, so it may capture many general automation requests that are not specifically about Windows desktop control. Because this skill can launch apps, kill processes, capture screens, and simulate input, over-triggering materially raises the risk of unintended high-privilege or privacy-impacting actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill exposes process termination capability via `app_launcher.py kill` without clearly warning that it can forcibly close applications and potentially cause data loss. In a desktop automation context, users may not realize that terminating the wrong process can interrupt work, corrupt unsaved state, or stop security-relevant applications.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The screenshot functionality lacks privacy and data-handling warnings even though it can capture the full screen or specific windows, potentially including credentials, personal information, confidential documents, or security prompts. In a Windows desktop automation skill, screenshots are especially sensitive because they can collect broad ambient data unrelated to the user's immediate task.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill documents mouse and keyboard automation without warning that focus changes, timing issues, or incorrect coordinates can send input to the wrong window and trigger unintended submissions, purchases, deletions, or configuration changes. This risk is heightened here because the skill encourages direct simulation of clicks, hotkeys, and text entry across arbitrary applications.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The force-kill function terminates processes immediately with -Force and no confirmation, safeguards, or protected-process restrictions. In an agent setting, a mistaken or malicious request could kill critical business applications, security tools, or user work, causing denial of service or data loss.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script provides unattended keyboard simulation, including arbitrary text entry and shortcut execution, without any confirmation, focus validation, safety interlock, or warning to the caller. In an agent/skill context this is dangerous because it can drive other applications, approve dialogs, run destructive shortcuts, or exfiltrate data through UI interaction.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Launching PowerShell to perform keystroke injection is a sensitive capability, and the function does so without disclosing that it will invoke a shell or affect the active window. In a skill environment, lack of disclosure increases the chance of hidden or surprising actions against whatever application currently has focus.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The key and combo actions also invoke PowerShell-backed keyboard events without warning or confirmation. Even though the inputs are allowlisted, these functions can still trigger sensitive shortcuts such as Alt+F4, Win+R, or Ctrl+L in whichever window is active, which is risky in an agent-controlled environment.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill provides direct mouse movement, clicking, dragging, and scrolling with no user confirmation, authorization gating, or visible warning. In an agent setting, GUI automation can be abused to approve prompts, alter settings, exfiltrate data indirectly, or drive the user interface in ways the user did not intend.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The function can capture the full contents of a user's screen and save them to disk without any consent prompt, notice, or runtime confirmation. In an agent skill context, silent screenshot capability materially increases privacy risk because it can expose credentials, messages, documents, and other sensitive on-screen data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This routine captures a specific application window's visible contents without any user-facing disclosure or confirmation. In practice, targeted window capture can be even more privacy-invasive than full-screen capture because it enables focused collection of chats, email, financial apps, or password manager windows.

Vague Triggers

High
Confidence
96% confidence
Finding
The application-control trigger phrases are broad everyday expressions such as opening apps or websites, with no clear confirmation, scoping, or authorization requirements. In a desktop automation skill, accidental or overly permissive activation could launch programs or URLs unexpectedly, which can be chained into unsafe actions or social-engineering-driven misuse.

Vague Triggers

High
Confidence
97% confidence
Finding
The screenshot-related triggers are generic and do not constrain what may be captured, from which window, or under what consent conditions. Because screenshots can expose sensitive on-screen content, broad activation language materially increases the risk of unintended data capture and privacy violations.

Vague Triggers

High
Confidence
98% confidence
Finding
Mouse and keyboard automation are highly powerful capabilities, and the listed triggers include very generic terms like clicking, typing, shortcuts, and keyboard input. Without strict activation conditions and safety checks, the skill could be invoked unintentionally to interact with arbitrary applications, submit forms, alter settings, or perform destructive UI actions.

Vague Triggers

High
Confidence
98% confidence
Finding
The 'other' trigger list contains extremely broad terms such as automation, RPA, and window control that could match many benign user utterances. In the context of a skill capable of screenshots, input simulation, and process control, unclear activation boundaries significantly raise the chance of unintended execution and misuse.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal