ClawHub
Back to skill

Security audit

peekaboo-cli

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate Peekaboo CLI helper, but it gives an agent very broad ability to see and control a Mac desktop without enough built-in scoping or safety guidance.

Install only if you intentionally want an agent to view and operate your macOS desktop. Require explicit confirmation before screenshots, external AI analysis, Terminal typing, credential entry, clipboard changes, app quits, file moves/deletes, daemon/MCP use, and autonomous agent runs; review `~/.peekaboo` caches and stored provider credentials after sensitive work.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill is presented as a macOS UI automation utility, but the referenced documentation expands into autonomous-agent, MCP server, and generic tool/run capabilities that go beyond narrowly scoped UI interaction. That mismatch increases the chance an agent will invoke broader execution features than users expect, weakening least-privilege assumptions and making abuse or accidental overreach more likely.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Advertising autonomous-agent and generic run/tool features inside a desktop automation skill creates capability creep: consumers may trust it as a simple UI helper while it implicitly supports broader orchestration or execution behavior. In a security-sensitive environment, undocumented or unjustified expansion of control surfaces can materially increase misuse risk.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The description is broad enough to match many ordinary desktop-help requests, which can cause the skill to be selected in situations where powerful UI automation is unnecessary. Over-broad routing raises the likelihood of unintended screen capture, app control, or text entry in response to benign user asks.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The markdown explicitly promises complete desktop control and screen capture but does not pair those capabilities with prominent privacy, consent, and system-impact warnings. Because these operations can expose sensitive on-screen data and manipulate applications, the lack of warning and usage restrictions makes accidental harmful use more likely.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation exposes an autonomous agent command that can orchestrate UI actions like clicking, typing, menu selection, and session resumption, but it does not warn users that invoking the agent may change application state, submit data, install software, or otherwise affect the local system. In a desktop automation context, missing this warning increases the risk of accidental destructive or privacy-impacting actions because users may treat the command like a read-only assistant rather than an executor.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation promotes live screen and window capture but does not warn that the feature may record sensitive on-screen content such as passwords, messages, documents, tokens, or other private data. In a desktop automation tool, this omission increases the chance of accidental over-collection, unsafe sharing of captures, and privacy or compliance incidents.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explicitly describes clipboard-destructive actions such as `set`, `clear`, and `restore` without warning that they overwrite or erase the user's current clipboard contents. In an automation skill, clipboard state often contains sensitive or user-important data, so silent modification can cause data loss, disrupt workflows, or replace contents with attacker-controlled payloads that may later be pasted elsewhere.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation includes a concrete example that types a password directly into a dialog prompt, which normalizes use of the tool for handling secrets without any warning about credential exposure risks. In a macOS UI automation skill, this is more dangerous because automated entry of credentials can encourage insecure secret handling, accidental logging, shell history exposure, and misuse for credential stuffing or unauthorized access workflows.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation includes an example that drags a file element into the Trash, which is a destructive UI action, but it provides no warning, confirmation guidance, or explanation of consequences. In a macOS UI automation skill, examples are highly actionable and may be copied directly by agents or users, increasing the chance of unintended file deletion or data loss.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation explicitly advertises an option to send captured screenshots to a configured AI provider, but it does not warn that screenshots may contain sensitive on-screen data such as credentials, personal information, messages, or proprietary content. In a macOS UI automation tool, this omission is especially risky because the captured content can include arbitrary desktop state, making accidental data exfiltration to third-party services more likely.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation explicitly supports capturing full macOS UI state, accessibility metadata, and saving annotated screenshots to disk, but it does not warn that screens may contain passwords, messages, tokens, personal data, or other sensitive information. In an automation/agent context, this increases the chance of unintended collection, persistence, and downstream disclosure of sensitive on-screen data, especially when `--mode screen`, `--annotate`, and `--path` are used.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation explicitly instructs users how to inject synthetic keystrokes, clear existing field contents with Cmd+A/Delete, and send follow-up control keys such as Return and Tab, but it provides no safety guidance about targeting the correct application or avoiding sensitive/destructive contexts. In a macOS UI automation tool, these actions can easily trigger unintended commands, overwrite data, submit forms, or interact with privileged applications if misused or if focus is wrong.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal