Trust Assessment
desktop-control received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 1 critical, 1 high, 3 medium, and 0 low severity. Key findings include Missing required field: name, Arbitrary Command Execution via shell=True, Sensitive Screen Content Captured and Returned.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 41/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary Command Execution via shell=True The `DesktopController.run_command` method executes shell commands using `subprocess.run(command, shell=True)`. This is highly dangerous as it allows arbitrary command execution if the `command` string can be influenced by untrusted input. While the current `_plan_task` in `AIDesktopAgent` hardcodes commands, the `TODO` comment explicitly mentions integrating with an LLM for intelligent planning. If an LLM generates the `command` string based on user input, or if `_plan_task` were to parse user input for application names, an attacker could inject malicious commands. The `_check_approval` mechanism is a weak mitigation as it relies on user vigilance. Avoid `shell=True` when executing external commands. Instead, pass commands as a list of arguments (e.g., `subprocess.run([command_name, arg1, arg2])`) and explicitly specify the full path to executables. If `shell=True` is absolutely necessary, ensure `command` is strictly validated and sanitized, or use a whitelist of allowed commands and arguments. | LLM | __init__.py:201 | |
| HIGH | Sensitive Screen Content Captured and Returned The `AIDesktopAgent.execute_task` method captures screenshots (`screenshot_before`, `screenshot_after`) before and after each step and includes these `PIL Image` objects directly in its return `result`. This means that any system consuming the output of `AIDesktopAgent.execute_task` will receive potentially sensitive screen content, which could include personal data, credentials, or proprietary information visible on the user's desktop. While this is core functionality for a vision-based agent, it poses a significant data exfiltration risk if the `result` is transmitted or stored insecurely by the calling agent or LLM. Implement strict data handling policies for the `result` object, especially the `screenshots`. Consider redacting sensitive areas of screenshots, applying privacy filters, or requiring explicit user consent before transmitting or storing them. Ensure that the calling agent/LLM is aware of the sensitive nature of this data and handles it appropriately (e.g., not sending raw screenshots to external LLM APIs without user approval). | LLM | ai_agent.py:108 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/matagul/desktop-control/SKILL.md:1 | |
| MEDIUM | Arbitrary File Write for Screenshots The `DesktopController.screenshot` function allows saving a screenshot to an arbitrary `filename` specified by the caller. If an attacker can control this `filename` argument, they could specify a path that leads to data exfiltration (e.g., writing screenshots to a publicly accessible web server directory, a network share, or overwriting critical system files if permissions allow). This is a common vulnerability in file-writing functions where the path is user-controlled without proper validation. Implement strict validation and sanitization of the `filename` argument. Restrict file saving to a designated, secure directory (e.g., a temporary directory or a user-approved output folder). Prevent absolute paths or paths containing directory traversal sequences (`../`) from being used. | LLM | __init__.py:260 | |
| MEDIUM | Unpinned Dependencies in Installation Instructions The installation instructions in `SKILL.md` (`pip install pyautogui pillow opencv-python pygetwindow`) do not specify exact version numbers for the dependencies. This practice can lead to non-deterministic builds, where different versions of libraries might be installed at different times. This poses a supply chain risk as it could silently pull in vulnerable or malicious versions of libraries if a dependency is compromised or updated with breaking changes. Pin all dependencies to specific, known-good versions (e.g., `pyautogui==0.9.0`). Use a `requirements.txt` file with exact versions generated by `pip freeze > requirements.txt` after a successful installation. Regularly audit and update these pinned versions. | LLM | SKILL.md:109 |
Scan History
Embed Code
[](https://skillshield.io/report/2c396d9b30c8d4f4)
Powered by SkillShield