peekaboo
Warn
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill manifest includes an automated installation step using a third-party Homebrew tap ('steipete/tap/peekaboo') and mentions a 'polter' utility for builds. These represent external code dependencies from sources outside the primary vendor or trusted organizations.
- [COMMAND_EXECUTION]: The skill enables full programmatic control over the macOS user interface, including simulating mouse movements, clicks, and keyboard input. These operations necessitate 'Accessibility' and 'Screen Recording' permissions, which grant the agent high-privileged access to the user's active session.
- [DATA_EXFILTRATION]: The tool provides built-in commands to access sensitive system data, including reading the clipboard (
clipboard) and capturing visual information from the screen (image,see). This surface could be exploited to expose sensitive data if the agent is directed to interact with untrusted environments. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. 1) Ingestion point: The
seeandcapturecommands ingest untrusted text and UI metadata from external applications. 2) Boundary markers: No delimiters or ignore-instructions warnings are present for the ingested UI data. 3) Capability inventory: The skill has extensive capabilities includingclick,type,press, and file writes viacapture. 4) Sanitization: No evidence of sanitization or human-in-the-loop review is provided for data extracted from the UI before it is used to drive subsequent agent actions.
Audit Metadata