Xdotool Control
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: xdotool-control Version: 1.0.0 The OpenClaw AgentSkills bundle provides powerful desktop automation capabilities using xdotool and scrot, which are inherently high-risk. While the SKILL.md instructions do not contain explicit malicious prompt injection, several shell scripts (`scripts/browser_action.sh`, `scripts/find_and_click.sh`, `scripts/snap_verify_click.sh`, `scripts/type_in_window.sh`) are vulnerable to shell injection. User-controlled arguments like `ACTION` in `browser_action.sh` or `WINDOW_NAME` in the other scripts are directly interpolated into shell commands without sanitization, allowing for arbitrary command execution if an attacker can control these inputs. This constitutes a critical vulnerability, classifying the skill as suspicious rather than malicious, as there's no evidence of intentional harmful behavior by the skill's author.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent invocation could type or submit actions in the wrong live application if the window match, focus, or user intent is mistaken.
This helper can send arbitrary supplied text and optionally press Enter in any window matching the provided name, which can submit forms or run commands if used on sensitive apps such as terminals.
xdotool type --clearmodifiers "$TEXT" if [ "$PRESS_ENTER" = "--press-enter" ]; then ... xdotool key Return
Use this only with explicit user confirmation for clicks, typing, and Enter-key actions; prefer a dedicated test window/session and avoid targeting terminals or account-sensitive apps unless the user has reviewed the exact action.
The agent could approve a prompt or daemon action that the user expected to review manually.
The documentation explicitly shows sending an affirmative response into an existing agent/session prompt, which could bypass a human review step if used without clear user approval.
### 6. Approve tmux Prompt (for Clawdy daemon) SESSION=$(tmux ls | grep claude-session | head -1 | cut -d: -f1) tmux send-keys -t "$SESSION" "Yes" Enter
Remove or gate prompt-approval workflows, and require an explicit user confirmation immediately before sending affirmative responses such as Yes/Enter.
Web or extension actions may be performed as the current logged-in user, even though the skill does not request credentials directly.
The script drives the user's existing Chrome window, so browser actions may occur under whatever accounts or sessions are already active there.
WIN=$(xdotool search --name "Google Chrome" 2>/dev/null | head -1) ... xdotool windowactivate --sync "$WIN"
Run browser automation in a dedicated browser profile or logged-out test session when possible, and require review before actions involving accounts, payments, extensions, or administrative pages.
Users may not see the Linux desktop tooling requirements before installation, and the skill may fail until system packages are installed manually.
The registry metadata does not declare the runtime dependencies that the SKILL.md and scripts require, such as xdotool and scrot.
Required binaries (all must exist): none ... Install specifications: No install spec
Declare the required binaries and OS expectations in metadata or an install spec, and let users approve any sudo package installation themselves.
Sensitive information visible on the desktop could be captured in screenshots and shown to the agent.
The documented workflow captures desktop screenshots and has the agent read them into context; broad screenshots may include unrelated private content and remain as temporary files.
scrot /tmp/desktop.png ... Read screenshots with Claude's Read tool — it renders images inline.
Crop screenshots to the smallest needed region, close or hide sensitive windows, and delete temporary screenshot files when finished.