Oathe Security Badge

Is dreamtraveler13/guicountrol safe?

https://github.com/openclaw/skills/tree/main/skills/dreamtraveler13/guicountrol

87
SAFE

The linux-gui-control skill is a legitimate GUI automation toolkit wrapping xdotool, wmctrl, dogtail, and scrot for Linux X11/GNOME desktop interaction. The skill content is clean: no prompt injection, no exfiltration logic, no hidden instructions, no malicious install-time behavior. The primary risks are inherent to any desktop automation skill — unsanitized shell inputs enabling keystroke injection into arbitrary windows, full-screen screenshot capability, and explicit documentation of pkill for process termination — all of which represent significant ambient authority granted to an LLM agent via system prompt inclusion. Canary files were accessed only by the audit framework's own baseline scans.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (6)

MEDIUM Unsanitized shell input in gui_action.sh -20

The gui_action.sh wrapper passes $1 and $2 directly to xdotool and wmctrl without input validation. An agent directed to type or click via this script can inject arbitrary keystrokes or window focus changes into any running application, including password managers, terminals, and browsers.

MEDIUM pkill arbitrary process termination in documented workflow -10

SKILL.md explicitly documents the use of pkill to terminate named processes before relaunching with accessibility flags. This instruction, injected into an agent's system prompt, enables the agent to kill any named process including security monitors, audit daemons, or antivirus tools.

LOW Inherent full-desktop control capability grants agent excessive ambient authority -30

By design this skill gives an LLM agent the ability to control any application window, simulate keystrokes in any context including password fields, take full-screen screenshots, and move or resize any window. This is the largest inherent risk of any GUI automation skill and represents significant ambient authority being granted to the agent via system prompt injection.

LOW Screenshot action can capture sensitive on-screen content -10

The scrot screenshot capability documented in gui_action.sh captures the full display. If an agent is manipulated or misconfigured, it may capture passwords, private keys, API tokens, or other sensitive information visible on screen and store or transmit the image.

INFO Canary file accesses attributed to audit framework baseline scans -5

Six sensitive canary files were opened at two points: timestamp 1771928546 (before git clone at 1771928551, during GDM session initialization) and timestamp 1771928569 (after install, consistent with post-install audit verification). The pattern of all 6 files accessed at identical millisecond timestamps indicates automated audit sweeps rather than skill-initiated access. Canary integrity confirmed intact.

INFO Clean sparse checkout from expected monorepo -10

The skill installation used a shallow clone with GIT_TEMPLATE_DIR=/dev/null and sparse-checkout targeting only the expected skill subpath. The temporary clone was removed after copy. All network activity during install was to github.com (140.82.112.4).