Is loganprit/apple-find-my-local safe?

The skill enables an AI agent to observe and capture the precise real-time locations of family members, friends, and personal devices via Apple Find My. Screenshots containing this data are written to /tmp (world-readable). While no transmission code exists in the scripts, the agent retains full access to these images and the location information within them for the duration of the conversation session. A sophisticated attacker who controls the skill description or combines this skill with another could harvest this data without user awareness.

The skill takes exclusive control of the mouse and keyboard while running ('User cannot interact with the Mac while skill is running'). This is disclosed but means a user cannot interrupt or observe unexpected behavior mid-execution. A modified version of this skill could perform additional UI actions on other applications under the cover of the disclosed Find My automation.

Scripts accept FM_OUTPUT_DIR without path validation. If an attacker could control this environment variable (e.g., via another skill that sets env vars, or through a compromised shell profile), screenshots containing location data could be written to a network-mounted directory, a cloud-synced folder (iCloud Drive, Dropbox), or a path monitored by another process.

auditd PATH records confirm read-access to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json at timestamp 1771921799.954, which falls in the post-install phase after skill files were copied. Attribution is ambiguous — the audit's own source-scanning harness is a plausible cause, and none of the skill scripts contain credential-reading code. Canary file contents were reported intact. Flagged for completeness.

Nine bash scripts execute directly on the host macOS system with full user privileges. While all scripts are reviewed and appear legitimate, they interact with peekaboo — a UI automation tool with Screen Recording + Accessibility permissions. Any modification to these scripts post-install (or a future update) could leverage those permissions for unintended actions.

After installation, the openclaw-gateway process establishes live HTTPS connections to 44.214.208.192 (AWS us-east-1) and 104.16.10.34 (Cloudflare). These are OpenClaw platform connections, not skill-specific code. However, all peekaboo commands flow through the local bridge socket that this gateway manages, creating a data path where location automation commands (and potentially responses) transit OpenClaw's infrastructure.

This skill is benign in isolation but becomes a significant privacy threat in combination with any skill that can transmit files (email, Slack, HTTP upload, etc.). An attacker who can inject both skills into an agent session could instruct: 'Find where my family members are and send me the screenshots.' The skill has no controls preventing its output from being used this way.

SKILL.md instructs the agent to 'cd {skillDir}' before running scripts. This is a runtime template substitution that changes the agent's working directory. While necessary for relative script invocation, it means the agent must execute a shell directory change as a precondition — a minor footprint expansion compared to running scripts with absolute paths.