peekaboo
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill installs the
peekabooCLI tool using the Homebrew package manager from a third-party repository (steipete/tap/peekaboo). This introduces an external dependency that is not managed by the skill vendor or the official Homebrew core repository. - [DATA_EXFILTRATION]: The skill can access sensitive user data through several commands:
peekaboo clipboardreads the contents of the macOS clipboard, whilepeekaboo see,peekaboo image, andpeekaboo captureallow the agent to view or record the user's screen. - [COMMAND_EXECUTION]: The skill executes high-privilege UI automation commands that can control the entire macOS interface, including simulating keyboard and mouse input (
click,type,press), managing applications (app launch/quit), and executing automation scripts viapeekaboo run. It also manages provider settings and credentials through thepeekaboo configcommand. - [PROMPT_INJECTION]: The skill's architecture is vulnerable to indirect prompt injection because it interprets visual data from the screen. * Ingestion points: Untrusted text from the user's screen is ingested by the agent through UI snapshots (
peekaboo see) and screen captures. * Boundary markers: There are no explicit markers or instructions provided to the agent to help it differentiate between legitimate instructions and text found within captured screenshots or UI maps. * Capability inventory: The skill possesses powerful capabilities such as script execution (run), input simulation (type,click), and the ability to launch applications, which could be abused if the agent follows instructions found on a malicious webpage or document. * Sanitization: No sanitization or filtering of the captured UI text is performed before it is passed to the AI model for interpretation.
Audit Metadata