Is guicountrol safe?

https://clawhub.ai/dreamtraveler13/guicountrol

52
CAUTION

This skill provides unrestricted desktop GUI automation capabilities (clicking, typing, screenshotting, killing processes) with zero guardrails or confirmation mechanisms. While the skill code itself contains no hidden malice — no obfuscation, no exfiltration endpoints, no install hooks — its design gives any AI agent wielding it the equivalent of full physical access to the user's desktop. The primary risk is not what the skill does alone, but what it enables when combined with prompt injection or other malicious skills.

Category Scores

Prompt Injection 72/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 35/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 25/100 · 5%

Findings (8)

HIGH Unrestricted shell command execution by design -45

The skill's core functionality is executing shell commands (xdotool, wmctrl, scrot, pkill) through the agent. gui_action.sh accepts arbitrary arguments for click coordinates, window names, text to type, and keys to press, with no input validation or allowlisting. The agent can be directed to interact with any application on the desktop, including terminals where arbitrary commands could be typed.

HIGH Screenshot and accessibility tree expose all visible data -25

The scrot screenshot capability captures everything visible on screen. The inspect_ui.py script traverses the full AT-SPI accessibility tree of any named application, exposing all text content including passwords, private messages, financial information, and credentials displayed in any GUI application.

HIGH Skill is a force multiplier for indirect prompt injection -55

This skill converts any text-based prompt injection into physical desktop actions. An attacker who can inject instructions into the agent's context (via a malicious webpage, document, or another skill) gains the ability to click, type, kill processes, and screenshot the entire desktop. The skill has zero guardrails or confirmation mechanisms.

MEDIUM Skill normalizes killing user processes -18

The 'Forcing Accessibility in Electron Apps' workflow explicitly instructs the agent to run 'pkill ' to kill running applications and relaunch them with different flags. This normalizes process termination as an acceptable agent action, which could be exploited to kill security software, monitoring tools, or cause data loss in unsaved applications.

MEDIUM xdotool type enables indirect data exfiltration via terminal -10

The xdotool type command can type arbitrary text into any focused window. If a terminal is active, the agent could be directed to type commands that read sensitive files and send them to external servers. This creates a covert exfiltration channel that bypasses filesystem monitoring.

MEDIUM Overly broad skill scope enables scope creep -10

The skill description claims to handle all desktop GUI interaction including 'non-browser applications', 'mouse/keyboard input', 'window management', and 'UI hierarchy inspection'. This extremely broad scope means the agent could justify using this skill for nearly any task, expanding the attack surface well beyond what a user might expect from a 'GUI control' skill.

LOW Python script uses bare except clause -5

inspect_ui.py uses a bare 'except: pass' that silently swallows all exceptions during UI tree traversal. While not directly exploitable, this suppresses error messages that could alert users to unexpected behavior or failed access attempts.

INFO Runtime environment reads sensitive files during startup -15

Filesystem monitoring shows reads to .env, .aws/credentials, .openclaw/openclaw.json, .profile, and .bashrc during the install phase. These appear attributable to the OpenClaw agent runtime rather than the skill itself, but the skill's presence coincides with these accesses.