Back to skill

Security audit

PC Control

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises, but it gives an agent broad live Windows desktop control with weak safety boundaries.

Install only if you intentionally want an agent to see and operate your active Windows desktop. Close sensitive windows first, keep the service bound to localhost, protect or delete the token and temp screenshots, verify every action, and stop the server when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def install():
    cmd = f"& '{PY}' -m pip install {' '.join(DEPS)}"
    result = subprocess.run([POWERSHELL, "-Command", cmd], capture_output=True, text=True, timeout=120)
    print(result.stdout)
    if result.returncode != 0:
        print(f"错误: {result.stderr}")
Confidence
95% confidence
Finding
result = subprocess.run([POWERSHELL, "-Command", cmd], capture_output=True, text=True, timeout=120)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
f"-ArgumentList '{win_server}' "
        f"-WindowStyle Hidden"
    )
    subprocess.run([POWERSHELL, "-Command", cmd], capture_output=True, timeout=15)

    for _ in range(timeout // 2):
        time.sleep(2)
Confidence
89% confidence
Finding
subprocess.run([POWERSHELL, "-Command", cmd], capture_output=True, timeout=15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not is_running():
        return True
    # 强制关闭
    subprocess.run(
        [POWERSHELL, "-Command",
         "Get-Process python -ErrorAction SilentlyContinue | Where-Object {$_.CommandLine -like '*server.py*'} | Stop-Process -Force"],
        capture_output=True, timeout=10
Confidence
91% confidence
Finding
subprocess.run( [POWERSHELL, "-Command", "Get-Process python -ErrorAction SilentlyContinue | Where-Object {$_.CommandLine -like '*server.py*'} | Stop-Process -Force"], cap

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The launcher is capable of spawning Windows-side processes through PowerShell rather than limiting itself to narrow desktop interaction primitives. In the context of a remote desktop-control skill, expanding capability to arbitrary host-side process execution increases the blast radius if the skill is misused or its configuration is manipulated.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The shutdown endpoint exposes server lifecycle control over the same API used for desktop automation, even though stopping the service is not necessary for the stated remote-control purpose. Any party with the bearer token can remotely terminate the service, enabling denial of service and potentially disrupting an active desktop-control session.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This skill performs real mouse and keyboard actions on the user’s active Windows desktop, but the description does not prominently warn users about the risk of unintended clicks, keystrokes, focus issues, or interaction with sensitive applications. In this context, the omission is significant because desktop automation can trigger destructive actions, expose confidential on-screen data, or interfere with a live user session even if the feature is intended for legitimate assistance.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The screenshot method decodes captured desktop imagery and stores it in a persistent temporary file using delete=False, which can leave sensitive screen contents recoverable on disk after use. In a remote desktop control skill, screenshots may contain credentials, personal data, or confidential business information, so undisclosed local persistence increases privacy and data exposure risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The shutdown path forcibly kills matching Python processes without user warning or confirmation and without ensuring the matched process is the one originally started by this launcher. In a desktop automation context, this can interrupt unrelated workloads on the user's Windows machine and cause loss of unsaved state.

Missing User Warnings

High
Confidence
97% confidence
Finding
These endpoints allow screenshots, mouse control, keyboard input, hotkeys, and drag operations with no user-facing consent, confirmation, rate limiting, or action scoping. In this skill context, the API is specifically designed to control a live desktop, so misuse of a leaked token or unintended invocation could lead to account actions, data exposure, destructive GUI interactions, or execution of arbitrary commands through the desktop session.

Unpinned Dependencies

Low
Category
Supply Chain
Content
fastapi
uvicorn
mss
pyautogui
Confidence
95% confidence
Finding
fastapi

Unpinned Dependencies

Low
Category
Supply Chain
Content
fastapi
uvicorn
mss
pyautogui
pillow
Confidence
95% confidence
Finding
uvicorn

Unpinned Dependencies

Low
Category
Supply Chain
Content
fastapi
uvicorn
mss
pyautogui
pillow
Confidence
89% confidence
Finding
mss

Unpinned Dependencies

Low
Category
Supply Chain
Content
fastapi
uvicorn
mss
pyautogui
pillow
Confidence
90% confidence
Finding
pyautogui

Unpinned Dependencies

Low
Category
Supply Chain
Content
uvicorn
mss
pyautogui
pillow
Confidence
97% confidence
Finding
pillow

Known Vulnerable Dependency: fastapi — 3 advisory(ies): CVE-2021-32677 (Cross-Site Request Forgery (CSRF) in FastAPI); CVE-2021-32677 (FastAPI is a web framework for building APIs with Python 3.6+ based on standard ); CVE-2024-24762 (FastAPI is a web framework for building APIs with Python 3.8+ based on standard )

High
Category
Supply Chain
Confidence
91% confidence
Finding
fastapi

Known Vulnerable Dependency: uvicorn — 4 advisory(ies): CVE-2020-7694 (Log injection in uvicorn); CVE-2020-7695 (HTTP response splitting in uvicorn); CVE-2020-7694 (This affects all versions of package uvicorn. The request logger provided by the) +1 more

High
Category
Supply Chain
Confidence
93% confidence
Finding
uvicorn

Known Vulnerable Dependency: pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more

Critical
Category
Supply Chain
Confidence
96% confidence
Finding
pillow

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.