Is computer-use safe?

https://clawhub.ai/Ram-Raghav-S/computer-use

52
CAUTION

This skill provides full desktop GUI automation (mouse, keyboard, screenshots) for headless Linux servers via 17 shell scripts and an Xvfb/XFCE/VNC stack. While no malicious intent or active exploitation was detected, the skill grants extraordinarily broad capabilities — an LLM agent with this skill can perform any action a desktop user could, including opening terminals, executing commands, and accessing files. The setup script makes persistent system-level changes including systemd services and replaced binaries. The inherent power of unrestricted desktop automation without guardrails makes this a CAUTION-level skill.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 20/100 · 20%
Clone Behavior 60/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 15/100 · 5%

Findings (9)

CRITICAL Full desktop control via 17 shell scripts -40

The skill provides complete GUI automation: mouse clicks, keyboard input, screenshots, scrolling, and dragging. Any instruction from the LLM can be translated into arbitrary desktop actions including opening terminals and executing commands, navigating file managers to sensitive directories, or interacting with any GUI application.

HIGH setup-vnc.sh makes persistent system-level changes -25

The setup script installs 10+ system packages via sudo apt, copies systemd service files to /etc/systemd/system/, enables services to auto-start on boot, and replaces the system binary /usr/bin/xfdesktop with a no-op script. These changes persist across reboots and modify the system at a privileged level.

HIGH Unrestricted agent-driven desktop automation is inherently dangerous -50

An LLM agent with this skill can perform ANY action a human user could perform at a desktop. There are no guardrails, allowlists, or confirmation prompts in the scripts. If the agent is tricked (via prompt injection from another skill or web content) or makes an error, it could perform destructive actions with no rollback capability.

MEDIUM Screenshot capture exposes all visible desktop content -15

screenshot.sh and zoom.sh capture the full screen (or regions) as base64 PNG and return the data to the LLM. If sensitive information is displayed on the desktop (credentials, emails, documents), it will be captured and sent to the LLM provider's API.

MEDIUM No input sanitization on xdotool parameters -15

Scripts like key.sh, type_text.sh, click.sh pass user/agent-supplied arguments directly to xdotool without validation or sanitization. While xdotool itself is not a shell interpreter, arbitrary key combinations (e.g., ctrl+alt+t for terminal, then typing commands) enable indirect command execution.

MEDIUM Sensitive files accessed during installation context -30

During the skill install process, .env, .aws/credentials, and OpenClaw config files were read. While these reads appear to originate from the OpenClaw platform runtime rather than the skill itself, the skill was being installed in this execution context.

LOW SKILL.md suggests running setup script with elevated privileges -15

The SKILL.md instructs users to run ./scripts/setup-vnc.sh which internally uses sudo. While this is documented, the casual phrasing 'Run the setup script to install everything' understates the scope of system changes.

LOW VNC server creates remote access surface -20

The skill sets up x11vnc and noVNC. While configured to listen on localhost only, misconfigurations or combined with SSH tunneling could expose the desktop to unauthorized remote viewers.

INFO No npm install scripts or git hooks present 0

The skill has no package.json with install scripts, no .githooks directory, no .gitattributes filters, no submodules, and no symlinks. The skill is purely shell scripts and markdown.