Track a shared contact's location via Apple Find My with street-level accuracy. Returns address, city, and context (home/work/out) by reading map landmarks. Supports configurable known locations and vision fallback for unknown places.
Security Analysis
high confidenceThe skill's code, instructions, and requirements are consistent with its stated purpose (automating Apple Find My via accessibility tooling), but it requires sensitive macOS permissions and recommends running an unauthenticated local Hammerspoon HTTP endpoint — review those privacy/security implications before installing.
Name and description (Find My integration, street-level accuracy) align with the provided files and instructions: the Python tool uses peekaboo and optional Hammerspoon to control the Find My app, capture screenshots, and match landmarks against a user config. No unrelated cloud credentials, binaries, or services are requested.
Most runtime steps are within scope (open Find My, capture accessibility data, screenshot, match landmarks). However SKILL.md recommends installing a Hammerspoon config that starts an unauthenticated local HTTP server on port 9090 to receive click commands — this exposes a local RPC that any local process could call to simulate clicks. The instructions also ask for Accessibility and Screen Recording permissions and advise reading optional USER.md files to infer a target; these are legitimate for the task but are privacy-sensitive and increase local attack surface.
No remote or obfuscated install artifacts in the registry. SKILL.md recommends brew-installed binaries (peekaboo, hammerspoon) from known taps and includes a simple install.sh that symlinks the script to ~/.local/bin and creates a config in ~/.config/findmy-location — standard, low-risk operations. The registry metadata lacked an explicit install spec but the shipped install.sh is straightforward.
The skill requests no environment variables or external credentials. It does require an iCloud account signed into the Mac and the target sharing location via Find My (expected). The script will read optional local files (e.g., ~/clawd/USER.md, ~/USER.md) to infer a target name — this is minor scope creep and worth noting if those files contain sensitive info.
The skill does not request elevated platform privileges in the registry (always:false). install.sh writes a symlink into ~/.local/bin and a config in ~/.config/findmy-location (normal). The primary persistence concern is the recommended Hammerspoon config which, if installed and left running, provides a persistent, unauthenticated local HTTP endpoint that could be abused by other local processes to simulate clicks.
Guidance
Before installing, consider the following: - This tool automates the macOS Find My app and requires Screen Recording + Accessibility permissions; granting those to tools can expose sensitive screen data and UI control—only grant them if you trust the code. - The README/SKILL.md recommends adding a Hammerspoon script that starts an unauthenticated HTTP server on localhost (port 9090) to accept click commands. If you enable that, any local process could call that endpoint to simulate clicks. If you don't need Hammerspoon, skip adding that server and rely on peekaboo clicks instead. - The installer creates ~/.config/findmy-location/config.json and a symlink in ~/.local/bin; inspect install.sh and findmy-location.py yourself before running them. The repository source in the instructions points to github.com/poiley/findmy-location.git but the skill metadata lists source: unknown — verify the upstream repo and its commit history before trusting. - The script saves screenshots to /tmp and may read optional local files (~/clawd/USER.md, ~/USER.md) to infer a target name; check these files for sensitive information and consider the privacy implications of storing images in /tmp. - Legal/ethical: this tool locates shared contacts via Apple Find My. Ensure you have the contact's consent and that use complies with applicable laws and policies. If you decide to proceed: review the code, skip or harden the Hammerspoon step (e.g., require a secret or bind to a local UNIX socket), and keep the tool restricted to a trusted machine.
Latest Release
v1.1.1
Add skill description
More by @poiley
Published by @poiley on ClawHub
