Back to skill

Security audit

Mac Use 1.0.0

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it gives an agent broad screen-reading and Mac GUI-control power with weak containment around sensitive actions and temporary data.

Install only if you are comfortable granting the OpenClaw host process macOS Screen Recording and Accessibility access. Use it for supervised, bounded tasks; avoid password managers, banking, admin settings, private messages, payment flows, deletion flows, and public posting unless you explicitly confirm each step. Clear /tmp/mac_use*.png, /tmp/mac_use_elements.json, and the clipboard after sensitive sessions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def activate_app(app_name):
    """Bring an app to the foreground."""
    subprocess.run(
        ["osascript", "-e", f'tell application "{app_name}" to activate'],
        capture_output=True,
        timeout=5,
Confidence
98% confidence
Finding
subprocess.run( ["osascript", "-e", f'tell application "{app_name}" to activate'], capture_output=True, timeout=5, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
else:
        mod_str = ""
    script = f'tell application "System Events" to keystroke "{key}"{mod_str}'
    r = subprocess.run(["osascript", "-e", script], capture_output=True, timeout=10)
    if r.returncode != 0:
        sys.stderr.write(f"osascript keystroke failed: {r.stderr.decode().strip()}\n")
Confidence
98% confidence
Finding
r = subprocess.run(["osascript", "-e", script], capture_output=True, timeout=10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
f'to perform action "AXRaise" of window "{safe_title}"'
    )
    try:
        subprocess.run(["osascript", "-e", script], capture_output=True, timeout=5)
        time.sleep(0.3)
    except Exception:
        pass
Confidence
97% confidence
Finding
subprocess.run(["osascript", "-e", script], capture_output=True, timeout=5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill invokes shell commands, installs packages, writes artifacts to /tmp, and automates arbitrary GUI interaction, but it does not declare permissions corresponding to those capabilities. That creates a trust and policy gap: users or the host platform may not realize the skill can execute commands and capture/write sensitive screen data, increasing the chance of unsafe deployment or misuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This skill is specifically designed to capture screenshots of arbitrary macOS application windows, and those screenshots may contain passwords, messages, tokens, financial data, or other sensitive on-screen content. Failing to prominently warn about that risk can lead users to expose confidential data unintentionally, especially because the workflow instructs repeated screenshots and saving annotated images to predictable temporary paths.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The tool writes arbitrary text to the system clipboard and pastes it into the active application without any confirmation, disclosure, or restoration of prior clipboard contents. In a GUI automation skill, this is more dangerous because the active target may be a password manager, terminal, chat app, or production console, causing accidental secret leakage, destructive commands, or silent clipboard theft/overwrite.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The helper captures a full-screen screenshot and stores it in predictable files under /tmp before cropping to the target window. In this skill context, that can unintentionally collect unrelated apps, notifications, credentials, or personal data and expose them to other local processes or later reads if temporary files are reused or left behind.

Unpinned Dependencies

Low
Category
Supply Chain
Content
pyobjc-framework-Vision>=12.0
pyautogui>=0.9
Pillow>=10.0
Confidence
94% confidence
Finding
pyobjc-framework-Vision>=12.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pyobjc-framework-Vision>=12.0
pyautogui>=0.9
Pillow>=10.0
Confidence
95% confidence
Finding
pyautogui>=0.9

Unpinned Dependencies

Low
Category
Supply Chain
Content
pyobjc-framework-Vision>=12.0
pyautogui>=0.9
Pillow>=10.0
Confidence
93% confidence
Finding
Pillow>=10.0

Known Vulnerable Dependency: Pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more

Critical
Category
Supply Chain
Confidence
98% confidence
Finding
Pillow

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.