by 安全扫描
OpenClaw
安全
high confidenceThe skill's code and instructions are coherent with its stated purpose (local macOS screen capture, OCR/image matching, coordinate mapping, and pyautogui clicks); it does not request credentials or perform network/exfiltration in the provided files.
评估建议
This skill appears to be what it claims: a local macOS GUI automation helper. Before installing, consider these steps: (1) Review the included scripts yourself (they operate only on local files and perform clicks/screen captures). (2) Install dependencies in an isolated environment (virtualenv) and inspect packages in requirements.txt before pip installing. (3) Install Tesseract via Homebrew as instructed — note the registry metadata didn't list this binary requirement. (4) Grant macOS Screen Re...详细分析 ▾
ℹ 用途与能力
Name/description match the included scripts: calibration, screenshot capture, OCR (pytesseract), OpenCV template matching, and pyautogui clicks. Minor mismatch: SKILL.md and the code require the external Tesseract binary and Python packages (requirements.txt), but the registry metadata lists no required binaries — the Tesseract dependency is not declared in metadata.
✓ 指令范围
Runtime instructions are explicit and limited to local operations: take screenshots, resize to logical coordinates, run OCR/template matching on local images, write/read /tmp/macos_desktop_control/calibration.json and screen images, and perform local mouse clicks with pyautogui. The README instructs the user to grant macOS Screen Recording and Accessibility permissions (expected). No code references network calls, external endpoints, or unrelated system files.
ℹ 安装机制
There is no registry install spec (instruction-only), but a requirements.txt is included and the SKILL.md instructs 'pip install -r requirements.txt' and 'brew install tesseract'. Installing Python packages from PyPI and a Homebrew binary is standard for this kind of tool but carries the normal supply-chain risk of third-party packages; there are no downloads from unknown or shortener URLs in the skill files.
✓ 凭证需求
The skill requests no environment variables or credentials. It does require macOS permissions (Screen Recording and Accessibility) to function, which is expected for GUI automation. No other sensitive system paths or credentials are accessed by the code.
✓ 持久化与权限
always is false and the skill does not try to modify other skills or system-wide agent settings. It stores state only under /tmp/macos_desktop_control (calibration and screenshots). Autonomous invocation is allowed by platform default but there is no elevated or persistent privilege requested by the skill itself.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/20
init
● 无害
安装命令
点击复制官方npx clawhub@latest install desktop-control-for-macos
镜像加速npx clawhub@latest install desktop-control-for-macos --registry https://cn.longxiaskill.com