Peekaboo — agentic threat model
Peekaboo presents a high-risk profile due to its ability to capture arbitrary macOS screen content and manage windows, exposing sensitive, unrelated application data to upstream LLMs without built-in filtering or consent boundaries.
OWASP AIVSS score rationale
| Autonomy of Action | 0.20 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.70 | |
| Persistent Memory | 0.00 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.40 | |
| Non-Determinism | 0.30 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — Peekaboo acts as an MCP tool rather than a model, but the upstream vision models performing the 'on-image analysis' are highly susceptible to visual prompt injection and adversarial images displayed on the user's screen.
Data operations involve transient screen capture and window state data. The primary threat is the accidental ingestion and potential exfiltration of highly sensitive, unredacted PII, credentials, or proprietary data visible in adjacent, unrelated application windows.
As an MCP tool, insecure integration into an agent framework could allow an orchestrator to be manipulated into executing unauthorized window management actions or capturing screenshots at sensitive moments.
The tool runs locally on macOS and requires OS-level Screen Recording and Accessibility permissions. Compromise of the local MCP host or socket allows complete, silent visual surveillance of the user's active session.
Not certain from the listing — There are no mentioned guardrails, automated redaction capabilities, or audit logging mechanisms to monitor when screenshots are taken or to mask sensitive fields before analysis.
Lacks native authorization policies, user-confirmation prompts (Human-in-the-Loop), or compliance controls, creating significant compliance friction regarding data privacy regulations like GDPR and CCPA.
In a multi-agent MCP ecosystem, a secondary compromised agent could query the Peekaboo tool to exfiltrate active session data, bypassing traditional application sandboxing boundaries via the shared desktop interface.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).