Is amrdab/clawd-cursor safe?

https://github.com/openclaw/skills/tree/main/skills/amrdab/clawd-cursor

66
CAUTION

Clawd-cursor is a desktop GUI automation skill whose SKILL.md is clean of prompt injection and does not attempt credential theft from within the skill descriptor itself. However, the installation path requires cloning and npm-installing an external unaudited GitHub repository (AmrDab/clawd-cursor), which was not analyzed in this audit; any compromise of that supply chain would execute arbitrary code with full user privileges. The skill's core design — sending full desktop screenshots to external AI APIs and providing OS-level mouse/keyboard control — represents a structurally high-risk capability profile that requires explicit trust in both the external repository and the AI provider receiving screen content.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 50/100 · 25%
Code Execution 35/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (9)

HIGH External Unaudited Repository Installation -40

The install instructions require cloning https://github.com/AmrDab/clawd-cursor.git and running npm install && npm run build. This external repository was not cloned or analyzed during this audit. Any malicious code, compromised npm dependency, or postinstall hook in that repository would execute with full user privileges during installation. SKILL.md's claim of 'no postinstall scripts' cannot be verified without auditing that repo's package-lock.json and all transitive dependencies.

HIGH By-Design Screenshot Exfiltration to External AI APIs -30

The skill's primary functionality captures full desktop screenshots and transmits them to Anthropic or OpenAI APIs for vision processing. Any sensitive content visible on screen — credentials, PII, private documents, authentication tokens, internal dashboards — is sent externally on every task invocation. While disclosed in the privacy notice, this is a structural data exfiltration channel that cannot be disabled without disabling the skill entirely.

HIGH Full OS Desktop Control — Highest User-Space Privilege -30

The @nut-tree-fork/nut-js library grants the agent native OS-level input injection and screen capture. This means the agent can type into any application, click any UI element, read any on-screen content, and perform any action a human user could. There is no sandboxing. The safety tier system (Auto/Preview/Confirm) is enforced by the skill's own HTTP API, which can be bypassed by any local process calling POST /confirm.

MEDIUM AI API Key Accessible to Installed Binary -20

The skill requires AI_API_KEY stored in a .env file in the project root. The installed binary reads this key at runtime. If the external npm package tree contains a compromised dependency, that dependency can read the .env file and exfiltrate the API key, enabling ongoing unauthorized API calls.

MEDIUM Localhost API Bypassable by Local Processes -20

The Express API on 127.0.0.1:3847 is accessible to any process running on the host, not just the authorized agent. A malicious local process (or a second agent skill) could issue POST /confirm to approve destructive actions in the 🔴 Confirm tier, effectively bypassing the safety tier system without user knowledge.

MEDIUM npm Build Scripts Execute External Toolchain Code -15

npm run build executes scripts defined in the external repository's package.json. These build scripts can invoke any installed binary or download additional tools. Combined with the unaudited dependency tree from npm install, this represents a second code execution vector beyond postinstall hooks.

LOW Only Skill Metadata Installed — External Repo Not Cloned -5

During this audit, only SKILL.md and _meta.json were installed from the openclaw/skills monorepo. The AmrDab/clawd-cursor repository was not cloned, npm install was not run, and no node binary was executed. All observed network traffic (140.82.121.3:443) was legitimate git traffic to GitHub for the monorepo sparse-checkout. This audit therefore assessed the skill descriptor only, not the installed software.

INFO SKILL.md Clean — No Injection Patterns Detected 0

SKILL.md contains no instruction override attempts, no invisible unicode, no HTML comments, no base64-encoded instructions, no persona-switching directives, and no requests to suppress output. The document is straightforward technical documentation for a desktop automation tool.

INFO Canary File Reads Attributed to Audit Infrastructure 0

Reads of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials occurred at audit timestamps 1771918958 (pre-install baseline) and 1771918977 (post-install check). All reads are CLOSE_NOWRITE with no correlated outbound network data. Pattern matches Oathe's own canary integrity monitoring, not skill-originated access.