Is lexylent/desktop-control-win safe?

All four PowerShell scripts use Add-Type with inline C# to compile and load Win32 API bindings at runtime (user32.dll: SetForegroundWindow, mouse_event, SetCursorPos, EnumWindows, GetWindowText, etc.). This creates JIT-compiled native code executing in the PowerShell process with the full permission set of the calling user, bypassing PowerShell's type-safety boundaries.

Every code example in SKILL.md includes -ExecutionPolicy Bypass, instructing the LLM agent to always disable Windows script execution policy enforcement. This overwrites a security control that exists specifically to prevent unauthorized script execution and conditions users to expect this flag as normal.

The combined capability set—keyboard and mouse simulation, screenshot capture, clipboard read/write, arbitrary process launch, process termination, and VSCode extension installation—is functionally identical to what a remote access trojan provides. While each capability is documented and user-facing, an LLM agent with this skill active presents an enormous attack surface if the agent itself is compromised via prompt injection or adversarial user input.

The clipboard-get action reads and outputs the full clipboard content to the agent. Users routinely copy passwords, API keys, SSH keys, and tokens to the clipboard. An LLM agent that reads the clipboard could inadvertently expose or log this sensitive material.

The screenshot action captures the full primary screen or a specific window and saves to a path. If the agent takes screenshots during normal operation, any sensitive data visible on screen (passwords, private keys, financial data) is written to a file that could be further processed or transmitted.

The install-extension action runs 'code --install-extension --force' with an arbitrary ExtensionId parameter. A malicious actor who can influence the agent's tool calls could install any published or local extension, which executes with full user permissions and persists across VSCode sessions.

The process-manager start action and app-control launch action accept arbitrary executable paths and arguments, allowing the agent to start any program on the system. Combined with keyboard simulation, this could be chained to execute shell commands without the user directly requesting them.

The type-text and send-keys actions send keystrokes directly to whatever window is currently focused. If a terminal or code editor is focused, the agent could be tricked via adversarial user data into typing arbitrary commands, including ones that pipe data to an external endpoint.

auditd PATH records show open/read syscalls on .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json at both 1771942645 (pre-install baseline) and 1771942665 (post-install). The monitoring system's own canary integrity check confirms all files are unmodified and no content was exfiltrated. The PS1 scripts cannot execute in the Linux audit environment, so skill-driven access is ruled out.

SKILL.md contains no attempts to override system instructions, switch personas, fetch external URLs, or hide instructions via unicode or markup tricks. Safety rules are user-protective and require confirmation before destructive actions.