Full desktop computer use for headless Linux servers. Xvfb + XFCE virtual desktop with xdotool automation. 17 actions (click, type, scroll, screenshot, drag,...
Security Analysis
medium confidenceThe skill's files and instructions implement exactly what it claims (an Xvfb+XFCE virtual desktop with xdotool automation and VNC access); it requires sudo to install systemd services and modifies system binaries, which is heavy but coherent with the stated purpose.
Name/description match the implementation: scripts implement Xvfb display, XFCE watchdog, xdotool interactions (click/type/scroll/etc.), screenshots, and VNC/noVNC access. All requested behaviors are explained and present in the files.
SKILL.md and scripts stay on task (set DISPLAY, take screenshots, control mouse/keyboard, install and run VNC). However the setup script instructs the user to run a privileged installer that writes systemd unit files, copies a watchdog into /opt, and masks /usr/bin/xfdesktop — actions that are beyond simple user-space tooling and should be reviewed before running.
There is no formal package-install spec in registry metadata, but the included setup script runs apt to install dependencies and writes systemd units. Packages are installed from the distro repos and Chrome from Google's official URL (dl.google.com). No unknown third‑party download hosts or URL shorteners are used.
The skill does not request any environment variables or external credentials. Scripts set DISPLAY=:99 and use standard X11 tools. One privacy note: screenshot scripts output base64 PNGs to stdout, which can contain sensitive screen content — be mindful how those outputs are used or transmitted.
The setup script creates persistent systemd services, enables auto-start, copies scripts to /opt, and masks /usr/bin/xfdesktop (moving the original). These are persistent, privileged changes — reasonable for a persistent headless desktop but high-impact. Also the provided systemd x11vnc unit does not bind explicitly to localhost or configure authentication, so if services are started on a machine with open network access they could expose an unauthenticated VNC server unless the operator uses SSH tunnels or firewall rules.
Guidance
This skill appears to do what it says, but it performs privileged, persistent system changes. Before installing: (1) review the setup-vnc.sh script and the generated /etc/systemd/system/*.service files; (2) understand and approve the masking of /usr/bin/xfdesktop (it renames/moves the original binary); (3) ensure VNC is only reachable via SSH tunnel or firewall (or configure x11vnc to listen on localhost and require a password) — otherwise it may expose your desktop to the network; (4) run first in an isolated VM or container if possible; and (5) be cautious about screenshots (they are emitted as base64 and may contain sensitive data). If any of these actions are unacceptable, do not run the setup script.
Latest Release
v1.2.1
- Improved description to highlight X11-level automation for undetectable interactions (vs browser tools). - Clarified Chrome usage: added instructions to check user namespace support and avoid unnecessary --no-sandbox flag (improves browser stability). - Updated manual setup instructions to suggest using the setup script for generating service files. - Various documentation refinements for clarity and accuracy.
Popular Skills
Published by @Ram-Raghav-S on ClawHub
