virtual-remote-desktop

Security checks across malware telemetry and agentic risk

Overview

The skill’s remote desktop purpose is legitimate, but it makes persistent system changes and can expose sensitive desktop sessions in ways users should review before installing.

Install only if you need an AI-controlled remote desktop and are comfortable with sudo package installation, a possible persistent ssl-cert group change, stored browser profiles/screenshots, and temporary VNC credentials. Prefer 127.0.0.1 with SSH tunneling, avoid public binding unless tightly firewalled and time-limited, and clean ~/.openclaw/vrd-data after sensitive sessions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script automatically modifies the caller's system group membership by running `sudo usermod -a -G ssl-cert "$USER"` in order to access the TLS private key. That exceeds the normal scope of starting a user desktop session and creates a lasting privilege expansion beyond the lifetime of this process.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill recommends a 'temporary public takeover' mode with KASM_BIND=0.0.0.0 but does not give an explicit warning that this exposes the remote desktop to the network/Internet depending on host firewall and cloud settings. Because this skill is designed for browser sessions involving login, MFA, and captcha handoff, unintended exposure could allow session hijacking, credential theft, or unauthorized desktop access.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script captures the full virtual desktop and persists it as a PNG on disk before optionally returning it as base64. In a remote-desktop automation skill, screenshots can contain credentials, session cookies, MFA prompts, personal data, or other sensitive UI content, so writing them to a retained directory increases exposure if the host is multi-tenant, backed up, or later accessed by another process/user.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script sources a pidfile from a writable path and treats its contents as shell code. If an attacker can modify $WORKDIR or the pids.env file, arbitrary commands may execute when the script runs, and environment variables like DISPLAY or XAUTHORITY can be poisoned to redirect automation into another session. In this remote-desktop automation context, that expands the attack surface beyond simple configuration loading.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The script blindly injects keystrokes into whichever X window is active via xdotool. In a shared, stolen-focus, or misdirected session, sensitive input could be sent to the wrong application, trigger unintended actions, or submit credentials into attacker-controlled prompts. Because this skill is explicitly designed for remote desktop takeover and human handoff, accidental or unauthorized input injection is more dangerous than in a normal local utility.

Missing User Warnings

Low

Confidence: 92% confidence
Finding: The script prints the exact paths of the user and secret files during health checks. While it does not disclose the secret contents, exposing credential file locations can aid an attacker with local log access or telemetry visibility by revealing where sensitive material is stored and simplifying follow-on targeting.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script invokes `sudo usermod` without an explicit confirmation gate or prior setup step, causing an unexpected privileged system change during routine startup. Silent or lightly-announced privilege-affecting behavior is risky because operators may run it assuming it is a purely user-scoped helper.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The status command prints sensitive operational details including the Kasm username, Chrome profile path, cookie-file location and externally reachable URL. In a remote-desktop skill used for login handoff and browser automation, these values materially aid local attackers, log collectors, or support tooling in identifying session state and targeting credential-bearing browser data.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script executes `source "${PIDFILE}"`, which treats the PID file as shell code rather than parsing it as data. If an attacker can modify that file or influence the path passed as the first argument, they can achieve arbitrary command execution in the context of the script, including when the file is re-sourced inside the monitoring loop. In this skill's context, the script manages a remote desktop service and stop workflow, so compromise could let an attacker interfere with session lifecycle or run commands on the host.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal