ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Gui Control

v1.0.0

Control the GUI desktop on this machine using xdotool, scrot, and Firefox. Use when the user asks to open a browser, visit a website, take a screenshot, clic...

0· 138·0 current·0 all-time
byKunal Sharma@vibes-me

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for vibes-me/gui-control.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Gui Control" (vibes-me/gui-control) from ClawHub.
Skill page: https://clawhub.ai/vibes-me/gui-control
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install gui-control

ClawHub CLI

Package manager switcher

npx clawhub@latest install gui-control
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (GUI control using xdotool, scrot, Firefox) match the provided script and runtime instructions. However, the SKILL.md asserts availability of xdotool/scrot/firefox but the skill metadata does not declare those binaries as requirements—this mismatch is unexpected but not necessarily malicious.
!
Instruction Scope
Instructions explicitly direct the agent to take screenshots, read them (read_file('/tmp/screen.png')), and send them to the user via the message tool. Those actions are within the declared GUI purpose but carry clear privacy/exfiltration risk because desktop screenshots can contain sensitive information. The SKILL.md also tells the agent to write 'important system info' to MEMORY.md so other channels will know the display—this persists system state into agent memory and can expose information across channels, which is beyond what's needed for simple ephemeral GUI control.
Install Mechanism
No install spec (instruction-only + small helper script). No external downloads or archive extraction. The script is simple and its operations are transparent (firefox, scrot, xdotool, pkill, sleep).
Credentials
The skill declares no required environment variables or credentials, which is consistent with its function. It does, however, insist on using DISPLAY=:1 for all commands—this is reasonable for GUI control but the metadata does not declare this environment dependency explicitly. No other secrets are requested.
!
Persistence & Privilege
always:false and disable-model-invocation are normal. The concerning part is the explicit guidance to write system/display info to MEMORY.md so other agents/gateways will know about the display. That encourages persistent storage of system state (and possibly sensitive context) outside the ephemeral interaction, increasing cross-channel exposure risk.
What to consider before installing
This skill does what it says: it will open Firefox, simulate keyboard input, take screenshots, and send those screenshots back to the user. Before installing or using it, consider the following: 1) Desktop screenshots can contain sensitive data (passwords, chat windows, private documents). Only run this skill on machines where exposing the screen is acceptable. 2) The SKILL.md tells the agent to persist 'important system info' into MEMORY.md so other channels/agents can see it — remove or disable that behavior if you don't want cross-channel persistence. 3) The skill uses xdotool, scrot, and firefox but does not list them as required in the metadata; ensure those binaries are present and trusted on the host. 4) Test in a controlled environment first (no credentials or private windows visible) and monitor outgoing messages to verify only intended screenshots/data are transmitted. 5) If you need stricter limits, edit the SKILL.md/script to remove automatic read_file/send steps and the MEMORY.md guidance, and require explicit user confirmation before capturing or sending images.

Like a lobster shell, security has layers — review code before you run it.

latestvk972fhz92yevw5sgz8f4rbbejx84d96e
138downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
Kunal Sharma@vibes-me
latest
Download

GUI Control

Control the Linux desktop with a GUI display using shell tools.

Environment

  • Display: DISPLAY=:1 — ALWAYS prefix all GUI commands with this
  • This machine has a display — never say "I'm on a headless server"
  • Tools available: xdotool (keyboard/mouse), scrot (screenshots), firefox

Quick Reference

Open Firefox with a URL

DISPLAY=:1 nohup firefox https://example.com > /dev/null 2>&1 &

Wait for page load before interacting:

sleep 5

Take a Screenshot

DISPLAY=:1 scrot /tmp/screenshot.png

Type Text into Active Window

DISPLAY=:1 xdotool type --delay 50 "Hello world"

Press a Key

DISPLAY=:1 xdotool key Return

Get Active Window Name

DISPLAY=:1 xdotool getactivewindow getwindowname

Close Firefox

DISPLAY=:1 pkill firefox

Workflow: Browse a Website and Interact

  1. Open Firefox with URL: DISPLAY=:1 nohup firefox <url> > /dev/null 2>&1 &
  2. Wait for load: sleep 5
  3. Take screenshot to verify: DISPLAY=:1 scrot /tmp/step.png
  4. Read screenshot to assess page state
  5. Interact using keyboard (preferred over mouse):
    • xdotool key Tab — move focus
    • xdotool key Return — submit/confirm
    • xdotool type --delay 50 "text" — type into focused field
  6. After each action, screenshot to verify result
  7. Send screenshots to user with the message tool and media parameter

Tips

  • Prefer keyboard over mouse coordinates — Tab, Enter, arrow keys are more reliable than xdotool mousemove + click
  • YouTube shortcut: press / to focus the search bar
  • Always wait after page loads or actions before taking screenshots
  • Use nohup ... & for launching Firefox so it doesn't block the shell
  • Send screenshots to user using message(content="...", media=["/tmp/screenshot.png"])

Lessons Learned

Don't Over-Engineer

  • Start simplexdotool + keyboard shortcuts work great. Don't jump to Selenium/Marionette unless absolutely needed.
  • One clean attempt > five messy ones — think before executing, don't retry the same failing approach.
  • Don't open Firefox multiple times — check if it's already running first with ps aux | grep firefox

Keyboard Shortcuts by Website

  • YouTube: / focuses search bar, Tab navigates between elements, Return selects
  • General web: Ctrl+F opens find bar, Ctrl+L focuses address bar, Tab cycles focus
  • Don't use xdotool mousemove with hardcoded coordinates — they break on different resolutions and you might click the wrong element (e.g., address bar instead of YouTube search)

Common Mistakes to Avoid

  • Don't guess coordinatesxdotool mousemove 640 120 will click different things on different screens
  • Don't say "I'm on a headless server" — this machine HAS a display (DISPLAY=:1)
  • Don't use DISPLAY=:0 — the correct display is :1
  • Don't open multiple Firefox instances — reuse the existing one or close it first
  • Don't confuse the browser address bar with website search bars — use keyboard shortcuts to target the right element

Screenshot Workflow

  1. Take screenshot: DISPLAY=:1 scrot /tmp/screen.png
  2. Read it yourself: read_file("/tmp/screen.png") — this lets YOU see the screen
  3. Send to user: message(content="...", media=["/tmp/screen.png"])
  4. Always screenshot AFTER actions to verify results

Gateway + GUI

  • When running nanobot gateway, always start with DISPLAY=:1 so Telegram/Discord agents can use GUI
  • The gateway agent has its own context — it won't know about the display unless MEMORY.md says so
  • Write important system info to MEMORY.md so all channels stay informed

Comments

Loading comments...