Is am-will/gemini-computer-use safe?

At monitoring initialization (04:20:18, audit seq 257-262), all six canary credential files were opened and read in rapid succession before any skill code executed. While the timing strongly implicates the Oathe monitoring system's baseline-hashing routine rather than malicious skill code (git clone does not begin until seq 489 at 04:20:23), the anomalous simultaneous READ of .env, id_rsa, AWS credentials, .npmrc, Docker config, and GCloud ADC in one burst must be flagged. No skill source code contains credential-reading logic and the integrity report confirms files were not modified or exfiltrated.

The agent loop captures a PNG screenshot of the full browser viewport after every action and sends it to Google's Gemini API as part of the function_response. Any content visible in the browser — OAuth tokens in URL bars, form autofill, internal dashboards, files opened in the browser — will be transmitted to an endpoint outside the user's control. This is not a bug but an architectural characteristic of the Computer Use API that users must accept explicitly.

The navigate handler calls page.goto(args['url']) with no URL scheme validation, no host allowlist, and no block on private IP ranges. A malicious prompt or a Gemini model response influenced by prompt injection on a visited website could redirect the browser to http://localhost:PORT, http://169.254.169.254/latest/meta-data/ (AWS IMDS), or any internal service. Combined with the screenshot exfiltration channel, this enables internal service enumeration and data capture.

The combination of navigate (arbitrary outbound HTTP), type_text_at (inject text into forms), and the agent's potential access to other skills or filesystem data creates a complete exfiltration chain: read data from disk via another skill, type it into a form on an attacker-controlled site, submit via Enter. The --exclude flag can suppress specific actions but the agent invoking the skill controls this flag, not the skill itself.

The scroll_document action uses page.evaluate() to execute JavaScript (window.scrollBy) directly in the page context. While the current usage is benign, this pattern demonstrates that the script already bridges the Python automation layer and the browser's JavaScript runtime. Future modifications or a Gemini model response that triggers unexpected scroll behavior could be crafted to exploit this.

The skill requires GEMINI_API_KEY to be exported in the shell environment before execution. This key is read via os.getenv() and used for all Gemini API calls. If the execution environment is shared with other skills or if an environment-reading skill is also loaded, this key is at risk of exfiltration.

The entire installation process made only the expected HTTPS connection to GitHub (140.82.121.4:443) for the sparse git clone. DNS resolution was normal, no secondary exfiltration endpoints were contacted, and the post-install network state is identical to pre-install. The install script (decoded from auditd hex) performed standard operations: clone, sparse-checkout, copy, cleanup.

Full review of SKILL.md reveals a straightforward browser automation setup guide with no hidden instructions, override directives, invisible unicode codepoints, HTML comments, or instructions to fetch external resources. The frontmatter description accurately reflects the skill's stated purpose.