Is gedigi/peekaboox safe?

https://github.com/openclaw/skills/tree/main/skills/gedigi/peekaboox

83
SAFE

gedigi/peekaboox is a legitimate, well-constructed Linux X11 desktop automation skill providing screenshot capture, mouse/keyboard control, and window management via standard tools (xdotool, wmctrl, scrot). No prompt injection, hidden instructions, remote code download, git hooks, or malicious exfiltration logic was found in any of the fourteen skill files. The primary concerns are inherent to the skill's capability class: it grants the agent complete desktop control, making it a high-value amplifier if a user is socially engineered or a co-running skill is malicious; install.sh requires sudo and installs ImageMagick; and canary files were read in a suspicious post-parse burst (most likely the audit harness, not the skill). All canary honeypots remained intact with no content exfiltration detected.

Category Scores

Prompt Injection 96/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 73/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 87/100 · 10%
Behavioral Reasoning 63/100 · 5%

Findings (5)

MEDIUM Canary files opened immediately after skill content parsed -20

All six honeypot credential files (.env, id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were opened at 1771907291.427 in a sequential burst immediately after the skill source files were read. The identical access pattern also occurred pre-clone at 1771907270, strongly suggesting this is the Oathe audit harness performing its read-check sweep rather than skill-triggered access. However, no EXECVE was correlated to this specific batch at 1771907291, so the trigger cannot be conclusively attributed. No contents were modified or transmitted.

MEDIUM Full desktop control — high-value amplifier for malicious prompts -37

The skill correctly describes its purpose as desktop automation, but the capabilities it exposes (screenshot, type, click, hotkey) constitute a complete UI exfiltration toolkit when driven by a crafted or hijacked user prompt. An adversary who can influence the user's request (e.g., via a prompt-injected website or document) could instruct the agent to screenshot a password manager, type credentials into a form, or capture OTP displays. The skill contains no safeguards against such misuse.

LOW install.sh requires sudo and installs broad package set including ImageMagick -27

install.sh runs 'sudo apt-get install -y xdotool wmctrl scrot x11-utils imagemagick python3 python3-venv python3-pip'. This is expected for an X11 automation skill but grants the install script root-level package write authority. ImageMagick has a significant CVE history (ImageMagick/ImageTragick class vulnerabilities). python3-pip is also installed, expanding the future attack surface. The install script is otherwise clean with no curl/wget calls.

LOW Screenshots written to predictable /tmp paths -12

capture.sh saves screenshots to /tmp/linux-desktop-capture-$(date +%s).png. While this is local and not transmitted, the predictable path and unprotected /tmp location means any co-running process or subsequent skill can read these files. The agent is explicitly instructed to read the image file, so the screenshot content enters the LLM context — any sensitive screen content (passwords, private messages) becomes part of the context window.

INFO Post-install openclaw-gateway AWS connections 0

After installation, two ESTABLISHED TCP connections to 34.233.6.177:443 (AWS EC2) appear in the ss diff, attributed to openclaw-gatewa pid=1087 fd=27/29. This is the OpenClaw platform process, not any script in this skill. No connections attributable to skill scripts were observed.