Computer Use Agent (CUA) for macOS automation using TuriX. Use when you need to perform visual tasks on the desktop, such as opening apps, clicking buttons, or navigating UIs that don't have a CLI or API.
Security Analysis
medium confidenceThe skill's behavior matches a macOS visual-automation tool, but metadata and declared requirements are inconsistent and it asks users to grant high-privilege macOS permissions that could expose sensitive UI data — review before installing.
The skill is explicitly a macOS GUI automation agent (need macOS-only tools like screencapture, conda/python, and Node runtime), but the registry metadata declares no OS restriction and the skill lists no required binaries or env vars. The helper script hardcodes /opt/anaconda3 and a PROJECT_DIR placeholder, indicating it actually requires conda, python3, and a local TuriX project — these are not reflected in the declared requirements.
SKILL.md and README instruct the agent to run a local Python program (examples/main.py), update examples/config.json, write logs to .turix_tmp/logging.log, and request macOS Screen Recording and Accessibility permissions. These actions are coherent with the stated purpose (visual desktop automation), but they legitimately require capturing the screen and listening for keyboard events, which can expose sensitive on-screen content. The instructions do not instruct exfiltration to external endpoints, and the included run_turix.sh updates only the local config file in the project directory.
There is no install spec and the package is instruction-only plus a helper script. No downloads or remote installers are embedded in the provided files, which reduces risk. The README recommends cloning an external GitHub repo (https://github.com/TurixAI/TuriX-CUA) — any code pulled from there should be inspected separately.
The skill declares no required environment variables or credentials, which is appropriate, but the runtime expects and references several system components (conda at /opt/anaconda3/bin/conda, a conda env named turix_env, python3, and potentially a Node binary) and asks you to grant Screen Recording and Accessibility access to Terminal/Node/VS Code. Those are high-privilege capabilities; they are proportionate to GUI automation but should be explicitly declared up-front in metadata (they are not).
always is false and the skill does not request elevated platform privileges or attempt to modify other skills; it only updates its own examples/config.json and writes logs under the project directory. However, enabling Screen Recording and Accessibility grants long-lived privileges to the specified binaries which increases the blast radius if those binaries are later compromised.
Guidance
This skill appears to be a macOS desktop automation helper and mostly does what it says, but there are several things to check before installing: - Verify OS and binaries: This is macOS-specific. Ensure you actually run it on macOS and that the hardcoded paths (PROJECT_DIR, CONDA_PATH /opt/anaconda3/bin/conda, ENV_NAME turix_env) match your environment or are adjusted safely. - Inspect remote code: README points to a GitHub repo. If you follow that install, inspect the repository (examples/main.py and any dependencies) before running to confirm no unexpected network calls or data exfiltration. - Review and limit permissions: The skill requires Screen Recording and Accessibility permissions to capture the UI and send input. These allow any granted binary to read your screen and capture keystrokes — only grant them to binaries you trust, and prefer creating a dedicated, least-privilege account for automation. - Check what is written: The script updates examples/config.json and writes logs to .turix_tmp/logging.log in the project directory. Review those files to ensure they do not contain or transmit sensitive secrets. - Confirm no undeclared environment needs: The skill did not declare required binaries or an OS restriction in metadata. Treat that as a red flag: ask the publisher (or examine files) to confirm required runtime components and permissions before use. If you are not comfortable granting screen-capture / accessibility to local binaries you do not fully trust, do not install or run this skill. Run in an isolated environment or VM, inspect the code (examples/main.py and any dependencies), and only then grant permissions.
Latest Release
v1.0.8
Change the display name
Popular Skills
Published by @Tongyu-Yan on ClawHub
