Is jeremysommerfeld8910-cpu/xdotool-control safe?
https://github.com/openclaw/skills/tree/main/skills/jeremysommerfeld8910-cpu/xdotool-control
This xdotool-control skill is a legitimate GUI automation toolkit for OpenClaw/ClawdBot agents, but contains a HIGH-severity pattern in Section 6 that explicitly teaches the agent to locate and send 'Yes' to tmux sessions named 'claude-session', directly targeting agent confirmation dialogs and creating an agent-safety bypass risk. The skill also provides unrestricted desktop screenshot capture, browser navigation, and keyboard injection capabilities that, while useful for automation, create significant data exfiltration and command injection surface if the agent is manipulated via adversarial prompts. Canary files were untouched and no unexpected network connections were observed during install.
Category Scores
Findings (8)
HIGH Auto-Approve Claude Agent Session Prompts via tmux -30 ▶
Section 6 of SKILL.md provides a pattern that finds a tmux session matching 'claude-session' and sends 'Yes Enter' to it. This is explicitly labeled 'Approve tmux Prompt (for Clawdy daemon)' and directly targets the confirmation dialog mechanism used by Claude/ClawdBot agent pipelines. If the agent follows this pattern when instructed to 'approve a Clawdy prompt' or similar phrasing, it will bypass human-in-the-loop safety confirmations in other agent sessions on the same machine.
MEDIUM Unrestricted Full-Desktop Screenshot Capture to /tmp -20 ▶
Multiple scripts and SKILL.md examples use scrot to capture full desktop screenshots and save them to /tmp with predictable filenames. Any sensitive content visible on screen (passwords typed into terminals, API keys in editors, private documents, session tokens in browser tabs) can be captured and potentially read by the agent or exfiltrated if another tool is used to transmit /tmp contents.
MEDIUM Browser Screenshot Capture After Attacker-Directed Navigation -20 ▶
browser_action.sh accepts a URL argument, navigates Chrome to it, and saves a screenshot of the result. This creates a mechanism where an adversarial prompt could direct the agent to open authenticated internal URLs (email, internal dashboards, OAuth-protected apps) and capture their rendered content as images.
MEDIUM Arbitrary Keyboard Input Injection into Any Focused Window -25 ▶
type_in_window.sh focuses any window by name and injects arbitrary text followed by Enter. If the agent is directed to focus a terminal or code editor, this enables command injection. The --clearmodifiers flag suppresses only modifier key state — it does not sanitize the text content passed as the second argument.
MEDIUM Agent-Controlled Browser URL Navigation -15 ▶
SKILL.md and browser_action.sh teach the agent to type arbitrary URLs into Chrome's address bar. This enables navigation to attacker-controlled phishing pages, internal-only services, or credential-harvesting sites from within the user's authenticated browser session.
LOW Five Shell Scripts Granting Full Desktop Privilege -15 ▶
The skill ships five executable bash scripts providing unrestricted access to xdotool (mouse/keyboard/window control), scrot (screenshots), and Chrome browser automation. These run with the agent user's full OS privileges and contain no input validation, allowlisting, or scope restriction.
INFO Standard Git Clone — No Unexpected Network Activity -15 ▶
Install cloned from github.com/openclaw/skills via HTTPS. All network connections during install were either GitHub CDN (140.82.113.3), the pre-existing openclaw-gateway process (44.214.208.192), or normal OS infrastructure. No novel outbound connections initiated by the skill itself.
INFO All Canary Files Intact -5 ▶
Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCP creds) were not modified or exfiltrated. File access records for these paths at install-phase timestamps are attributable to the audit framework's own canary setup and periodic verification routines.