Back to skill
Skillv1.0.0
VirusTotal security
Mac Use 1.0.0 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:21 AM
- Hash
- 252e84aa627b7a4fd05ad9e707429be978143cd1daaf2b44ec9f0f5b243cac5d
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: mac-use-1-0-0 Version: 1.0.0 The skill provides powerful macOS GUI automation capabilities using Apple Vision OCR and Quartz APIs, which are aligned with its stated purpose. However, it is classified as suspicious due to multiple AppleScript injection vulnerabilities in `scripts/mac_use.py`. Specifically, functions like `activate_app`, `keystroke_via_osascript`, and `raise_window` interpolate user-controlled strings (e.g., `app_name`, `key`) directly into AppleScript commands executed via `osascript` without adequate sanitization. While no evidence of intentional malice was found, these flaws could be exploited to execute arbitrary shell commands if the AI agent is manipulated into using specially crafted application names or key combinations.
- External report
- View on VirusTotal