The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to indirect prompt injection through its vision and analysis features.
Ingestion points: The see, image, and capture commands ingest untrusted data directly from the user's screen, windows, and UI elements.
Boundary markers: None identified. The skill instructions do not specify any delimiters or instructions to ignore embedded content within the UI.
Capability inventory: The skill has extremely high-privilege capabilities including click, type, paste, hotkey, app launch/quit, and run (executing scripts).
Sanitization: None. The vision analysis (--analyze) likely feeds UI content directly back to the agent's reasoning engine, allowing content on a webpage or document to control the agent's next OS-level action.
[Unverifiable Dependencies] (MEDIUM): The skill installs a binary from a third-party Homebrew tap (steipete/tap/peekaboo).
Evidence: The YAML metadata specifies a brew installation from a non-whitelisted source. This binary has full access to the user's input and screen data.
[Data Exposure] (HIGH): The skill provides tools to programmatically access sensitive user data.
Evidence: The clipboard command allows reading the system clipboard, and the image/capture/see commands allow full screen and window recording. This data could be exfiltrated if combined with a network-capable agent.
[Privilege Escalation] (HIGH): The skill explicitly requires and checks for high-level macOS TCC permissions.
Evidence: Requires 'Screen Recording' and 'Accessibility' permissions to function. While legitimate for UI automation, these permissions grant the agent total control over the local user session.

peekaboo