Is windows-control safe?

https://clawhub.ai/Spliff7777/windows-control

52
CAUTION

This skill provides legitimate Windows desktop automation via pyautogui and pywinauto, with no malicious code, no network exfiltration, and clean install behavior. However, the capabilities it grants an AI agent — full keyboard/mouse control, screen capture, and window text extraction — are functionally equivalent to a Remote Access Toolkit. The primary risk is not the skill itself but what an agent (or a prompt-injected agent) could do with these capabilities: execute arbitrary commands via the Run dialog, read sensitive content from any application, and capture the full screen.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 40/100 · 25%
Code Execution 35/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 20/100 · 5%

Findings (8)

CRITICAL Full arbitrary command execution via key simulation -40

The combination of key_press.py (win+r to open Run dialog) and type_text.py (type any command) allows the agent to execute arbitrary system commands outside any sandbox. An agent could be socially engineered or prompt-injected into running 'py key_press.py win+r' then 'py type_text.py "powershell -c Invoke-WebRequest ..."' then 'py key_press.py enter'.

HIGH Screen capture and window text reading expose all visible sensitive data -35

screenshot.py captures the entire screen as base64 PNG. read_window.py extracts all text from any named window. Together these can read password managers, banking sites, private messages, terminal output with secrets, and any other visible content. While the scripts themselves don't transmit data, the agent can relay this information through its normal conversation channel.

HIGH Browser content extraction includes form fields and page content -25

read_webpage.py with --full flag extracts input field values from browsers, which may contain passwords, tokens, or other credentials currently in form fields. read_ui_elements.py provides a full map of all interactive elements across the desktop.

HIGH close_window.py can force-close applications causing data loss -15

close_window.py uses partial title matching to close any window. An agent could close unsaved documents, terminals running important processes, or security software.

MEDIUM Skill instructs agent to execute shell commands with no guardrails -25

SKILL.md teaches the agent to run 'py script.py ' commands. While not a direct prompt injection, this establishes a pattern where the agent routinely executes shell commands, making it easier for secondary prompt injections (from websites, documents, etc.) to leverage these capabilities.

MEDIUM Skill creates full RAT-equivalent capabilities for the agent -80

The complete set of capabilities (screenshot, keyboard, mouse, window reading, window management) is functionally equivalent to a Remote Access Toolkit. While each script is individually simple and non-malicious, the combination gives an AI agent the same power as a human attacker with physical access to the machine.

LOW pyautogui failsafe is enabled but easily bypassed -10

The SKILL.md mentions pyautogui.FAILSAFE = True as a safety feature, but individual scripts don't explicitly set it, and the agent could disable it by typing 'import pyautogui; pyautogui.FAILSAFE = False' into a Python REPL.

INFO Clean clone behavior — no malicious activity during installation 0

No network connections, no unexpected processes, no filesystem changes outside the skill directory. The .env and .aws/credentials reads are from the OpenClaw agent runtime, not from the skill itself.