openclaw-computer

Security checks across malware telemetry and agentic risk

Overview

The skill openly aims to control the desktop, but it gives the agent very broad screen, keyboard, file, app-launch, and process-control powers without the safeguards its documentation describes.

Install only if you are comfortable giving the agent broad control over your desktop session. Treat screenshots, recordings, clipboard access, arbitrary typing, file deletion, app launching, and process termination as sensitive, and prefer using a separate user account or disposable desktop session rather than a machine with private documents, credentials, or production access.

SkillSpector

By NVIDIA

Vulnerability Patterns

Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (49)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: cmd.extend(args) # 后台运行 subprocess.Popen(cmd, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
Confidence: 92% confidence
Finding: subprocess.Popen(cmd, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def disk_usage(self, path: str = "/") -> Dict[str, str]: """获取磁盘使用情况""" result = subprocess.run(["df", "-h", path], capture_output=True, text=True, check=True) lines = result.stdout.strip().split("\n")
Confidence: 86% confidence
Finding: result = subprocess.run(["df", "-h", path], capture_output=True, text=True, check=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def close(self, name: Optional[str] = None, pid: Optional[int] = None): """关闭应用""" if pid: subprocess.run(["kill", str(pid)], check=True) elif name: subprocess.run(["pkill", "-f", name], check=True)
Confidence: 90% confidence
Finding: subprocess.run(["kill", str(pid)], check=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: if pid: subprocess.run(["kill", str(pid)], check=True) elif name: subprocess.run(["pkill", "-f", name], check=True) def focus(self, title: str): """聚焦窗口"""
Confidence: 93% confidence
Finding: subprocess.run(["pkill", "-f", name], check=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def hotkey(self, *keys: str): """快捷键""" subprocess.run(["xdotool", "key", "+".join(keys)], check=True, capture_output=True) def press(self, key: str):
Confidence: 88% confidence
Finding: subprocess.run(["xdotool", "key", "+".join(keys)], check=True, capture_output=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def press(self, key: str): """按下单个按键""" subprocess.run(["xdotool", "key", key], check=True, capture_output=True) def hold(self, key: str):
Confidence: 88% confidence
Finding: subprocess.run(["xdotool", "key", key], check=True, capture_output=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def hold(self, key: str): """按住按键""" subprocess.run(["xdotool", "keydown", key], check=True, capture_output=True) def release(self, key: str):
Confidence: 90% confidence
Finding: subprocess.run(["xdotool", "keydown", key], check=True, capture_output=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: if args: cmd.extend(args) process = subprocess.Popen( cmd, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,
Confidence: 94% confidence
Finding: process = subprocess.Popen( cmd, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, start_new_session=True )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: save_path ] self.recording_process = subprocess.Popen( cmd, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL
Confidence: 90% confidence
Finding: self.recording_process = subprocess.Popen( cmd, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 截图 screenshot_path = "/tmp/find_image_screenshot.png" subprocess.run(["scrot", screenshot_path], check=True) # 加载图片 screenshot = cv2.imread(screenshot_path)
Confidence: 86% confidence
Finding: subprocess.run(["scrot", screenshot_path], check=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: check=True, capture_output=True) time.sleep(interval) else: subprocess.run(["xdotool", "type", text], check=True, capture_output=True) def hotkey(self, *keys: str):
Confidence: 90% confidence
Finding: subprocess.run(["xdotool", "type", text], check=True, capture_output=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def kill_process(self, pid: int, force: bool = False): """结束进程""" if force: subprocess.run(["kill", "-9", str(pid)], check=True) else: subprocess.run(["kill", str(pid)], check=True)
Confidence: 95% confidence
Finding: subprocess.run(["kill", "-9", str(pid)], check=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: if force: subprocess.run(["kill", "-9", str(pid)], check=True) else: subprocess.run(["kill", str(pid)], check=True) def get_system_info(self) -> Dict: """获取系统信息"""
Confidence: 92% confidence
Finding: subprocess.run(["kill", str(pid)], check=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: if interactive or (x is None): # 交互式选择 if self._command_exists("scrot"): subprocess.run(["scrot", "-s", save_path], check=True) else: raise RuntimeError("交互式截图需要 scrot") else:
Confidence: 87% confidence
Finding: subprocess.run(["scrot", "-s", save_path], check=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: else: # 指定区域 if self._command_exists("import"): subprocess.run([ "import", "-window", "root", "-crop", f"{width}x{height}+{x}+{y}", save_path
Confidence: 87% confidence
Finding: subprocess.run([ "import", "-window", "root", "-crop", f"{width}x{height}+{x}+{y}", save_path ], check=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: if title: # 通过窗口标题截图 if self._command_exists("import"): subprocess.run([ "import", "-window", title, save_path ], check=True) else:
Confidence: 83% confidence
Finding: subprocess.run([ "import", "-window", title, save_path ], check=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: else: # 活动窗口 if self._command_exists("scrot"): subprocess.run(["scrot", "-u", save_path], check=True) self.history.append({ "path": save_path,
Confidence: 85% confidence
Finding: subprocess.run(["scrot", "-u", save_path], check=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: if self._command_exists("xclip"): # 从剪贴板获取图片 with open(save_path, 'wb') as f: subprocess.run( ["xclip", "-selection", "clipboard", "-t", "image/png", "-o"], stdout=f, check=True )
Confidence: 91% confidence
Finding: subprocess.run( ["xclip", "-selection", "clipboard", "-t", "image/png", "-o"], stdout=f, check=True )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: """输入文本，支持速度控制""" if interval > 0: for char in text: subprocess.run(["xdotool", "type", char], check=True, capture_output=True) time.sleep(interval) else:
Confidence: 90% confidence
Finding: subprocess.run(["xdotool", "type", char], check=True, capture_output=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: """关闭应用，支持强制关闭""" if pid: if force: subprocess.run(["kill", "-9", str(pid)], check=True) else: subprocess.run(["kill", str(pid)], check=True) elif name:
Confidence: 95% confidence
Finding: subprocess.run(["kill", "-9", str(pid)], check=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: if force: subprocess.run(["kill", "-9", str(pid)], check=True) else: subprocess.run(["kill", str(pid)], check=True) elif name: if force: subprocess.run(["pkill", "-9", "-f", name], check=True)
Confidence: 91% confidence
Finding: subprocess.run(["kill", str(pid)], check=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: for tool_name, cmd in tools: if self._command_exists(tool_name): try: subprocess.run(cmd, check=True, capture_output=True) self.history.append({ "path": save_path, "type": "full",
Confidence: 86% confidence
Finding: subprocess.run(cmd, check=True, capture_output=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: subprocess.run(["kill", str(pid)], check=True) elif name: if force: subprocess.run(["pkill", "-9", "-f", name], check=True) else: subprocess.run(["pkill", "-f", name], check=True)
Confidence: 95% confidence
Finding: subprocess.run(["pkill", "-9", "-f", name], check=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: if force: subprocess.run(["pkill", "-9", "-f", name], check=True) else: subprocess.run(["pkill", "-f", name], check=True) def focus(self, title: str): """聚焦窗口"""
Confidence: 92% confidence
Finding: subprocess.run(["pkill", "-f", name], check=True)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill exposes powerful capabilities including shell execution, file read/write, GUI control, screenshots, and task scheduling, but declares no explicit permissions or trust boundaries. That creates a confused-deputy risk where an agent may invoke the skill broadly without users or policy systems understanding that it can perform destructive local actions.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal