peekaboo
Pass
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user to configure the
@steipete/peekaboopackage from the NPM registry vianpx. This is a standard deployment method for the Peekaboo MCP server, which is provided by a recognized developer in the macOS ecosystem. - [COMMAND_EXECUTION]: The skill enables GUI automation capabilities including clicking, typing, and window management on macOS. These operations are subject to the host operating system's security model and require explicit user-granted permissions for Screen Recording and Accessibility.
- [PROMPT_INJECTION]: The use of OCR to read screen content introduces a surface for indirect prompt injection, as the agent may process instructions contained within the captured screen. However, this is an inherent risk of the skill's primary functionality and is not indicative of malicious intent.
Audit Metadata