Huo15 Openclaw Desktop Control

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed macOS desktop-control helper, but it grants broad screen, keyboard, mouse, clipboard, and shell-control authority with very broad trigger phrases.

Install only if you intentionally want an agent to control your macOS desktop. Review the trigger phrases, keep macOS Accessibility and Screen Recording permissions limited to environments where this is acceptable, and be careful using it around passwords, private documents, browser sessions, or financial/account-management workflows.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The alias and trigger set is very broad, including everyday phrases like '控制电脑', '帮我点', and '帮我截屏'. This can cause the skill to activate in many normal conversations about interacting with apps or the desktop, increasing the chance of unintended high-privilege desktop automation being invoked when the user did not specifically intend to use this skill.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The activation guidance says the skill should trigger for essentially any request involving controlling apps, mouse, keyboard, or screen. In a skill bound to a powerful desktop-control MCP, that ambiguity materially raises the risk of overbroad invocation and accidental execution of sensitive actions on the user's machine.

VirusTotal

45/45 vendors flagged this skill as clean.

View on VirusTotal