v1.0.0

openclaw-computer

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:38 AM.

Analysis

This is a coherent computer-control skill, but it grants broad unsandboxed desktop, file, app/process, screenshot, and recording powers that should be reviewed carefully before installation.

GuidanceThis does not show evidence of hidden exfiltration or malware, but it is a powerful computer-control skill. Only install it if you are comfortable granting OpenClaw direct control over your mouse, keyboard, screen capture, applications, processes, and files. Review the source and dependencies, keep sensitive apps closed during use, and require manual confirmation for deletion, process termination, account actions, and screen recording.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

Provides GUI automation, file management, screenshot capture, application control, and system monitoring capabilities.

The skill intentionally exposes many high-impact local automation tools at once. The artifacts do not pair this broad capability with clear approval gates, scope limits, or containment rules.

User impactIf invoked incorrectly, the agent could click, type, open apps, capture the screen, or act in the wrong desktop context.

RecommendationInstall only if you intend to let OpenClaw operate your desktop directly, and require explicit user confirmation before actions that change files, apps, accounts, or visible UI state.

Cascading Failures

SeverityHighConfidenceHighStatusConcern

computer_use.py

def delete(self, path: str): ... if os.path.isdir(path): shutil.rmtree(path) else: os.remove(path)

The Python API can recursively delete any expanded user-supplied path, with no visible trash/recovery mechanism, allowlist, dry run, or confirmation step.

User impactA wrong path or mistaken instruction could permanently remove important local files or directories.

RecommendationAdd confirmation and safe-path controls for delete/move operations, prefer moving to trash, and avoid allowing autonomous deletion of broad directories.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

metadata

Source: unknown; Homepage: none; Install specifications: No install spec — this is an instruction-only skill.

For a skill with full desktop-control behavior, limited provenance and missing formal install metadata make it harder for users to verify exactly what they are installing and what dependencies are required.

User impactUsers have less registry-level assurance about origin and setup requirements for a high-impact automation skill.

RecommendationVerify the package source before installation and prefer a version with declared dependencies, pinned package versions, and a clear homepage or repository.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

computer_use.py

subprocess.run(["xdotool", "type", text], check=True)

Keyboard automation types into the active user session, meaning the agent can act through whatever local apps or logged-in accounts are currently open.

User impactThe agent may perform actions under the user's identity in browsers, terminals, chat apps, admin panels, or other focused applications.

RecommendationUse this skill in a controlled desktop profile or sandbox when possible, keep sensitive apps closed, and require explicit approval before actions involving logged-in services or privileged applications.