Is peekaboo safe?
https://clawhub.ai/steipete/peekaboo
Peekaboo is a legitimate macOS UI automation skill from a known developer (steipete). The skill itself contains no malicious code, prompt injection, or data exfiltration — it is purely documentation for the peekaboo CLI. However, the capabilities it grants the agent (full keyboard/mouse control, screenshot capture, clipboard access, security dialog interaction, and app management) represent an extraordinarily broad privilege surface. While safe in isolation with a trusted user, these capabilities become dangerous if the agent is ever manipulated by prompt injection from any source.
Category Scores
Findings (11)
HIGH Extreme UI automation privilege surface -40 ▶
The skill grants the agent full macOS UI automation including clicking, typing, screenshot capture, clipboard access, app launching, dialog interaction, and menu control. These capabilities combined represent near-total control over the user's desktop environment. While the skill itself is not malicious, this privilege surface is extremely dangerous if the agent is ever manipulated by prompt injection from any source.
HIGH Clipboard read access exposes sensitive data -20 ▶
The peekaboo clipboard command allows reading clipboard contents including text, images, and files. Users frequently copy passwords, API keys, tokens, and other sensitive data. An agent with this capability could inadvertently or deliberately access this data.
HIGH Screenshot capture of arbitrary applications -15 ▶
The peekaboo image and peekaboo see commands capture screenshots of any application window or the full screen. This could expose banking interfaces, private messages, medical records, or other sensitive on-screen content.
MEDIUM Third-party Homebrew tap installation -15 ▶
The skill requires installing from a third-party Homebrew tap (steipete/tap/peekaboo), which executes build scripts and formulae controlled by the tap maintainer. This is a supply chain trust boundary — the security of the installed binary depends entirely on the tap author.
MEDIUM Script execution via peekaboo run -10 ▶
The peekaboo run command executes .peekaboo.json automation scripts. If an attacker can place a malicious script file in the working directory, the agent could be tricked into executing it.
MEDIUM Security dialog dismissal capability -15 ▶
The peekaboo dialog command can click, input, dismiss, and interact with system dialogs. This could allow the agent to approve security prompts, permission requests, or installation dialogs without meaningful user consent.
MEDIUM Screenshot analysis sends data to external LLM -5 ▶
The --analyze flag on image/see commands sends captured screenshot content to an LLM provider for analysis. This transmits potentially sensitive screen contents to a third-party API configured via peekaboo config.
LOW Credential entry normalization in examples -8 ▶
The SKILL.md examples demonstrate typing passwords via the agent (peekaboo type "supersecret"), which normalizes the pattern of an AI agent handling raw credentials. This could reduce user vigilance about the agent accessing sensitive authentication data.
LOW Broad capability scope invites cross-skill abuse -10 ▶
While the skill itself contains no prompt injection, its extensive UI automation capabilities make it a high-value target for cross-skill attacks. A malicious companion skill could instruct the agent to use peekaboo commands to exfiltrate data or perform unauthorized actions.
INFO No executable code in skill repository 0 ▶
The skill contains only documentation files (SKILL.md, _meta.json, origin.json, lock.json). No scripts, hooks, submodules, or symlinks detected. All execution capability is via the external peekaboo binary.
INFO Clean clone with no side effects 0 ▶
No filesystem, network, or process activity detected during skill installation. The skill installed cleanly with no observable side effects.