zellij
Warn
Audited by Gen Agent Trust Hub on Apr 15, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill documents extensive methods to execute shell commands within terminal panes via
zellij runandzellij action write-chars. While essential for the tool's purpose, this gives the agent high-privilege control over the host terminal. - [REMOTE_CODE_EXECUTION]: In
references/actions.md, the skill describes thezellij action launch-plugincommand, which allows loading and executing WebAssembly plugins from arbitrary local file paths (e.g.,file:/path/to/plugin.wasm). This facilitates the execution of external binary logic. - [DATA_EXFILTRATION]: The
zellij action dump-screencommand allows the agent to read the content of terminal panes, including full scrollback history, and write it to a local file. This capability can be used to harvest sensitive data displayed during terminal sessions. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface due to its ability to process terminal output and execute commands based on it. * Ingestion points: Terminal content is read via
dump-screen(SKILL.md) andedit-scrollback(references/actions.md). * Boundary markers: Absent; there are no instructions to help the agent distinguish between data and instructions in captured output. * Capability inventory: Arbitrary command execution is available viawrite-charsandrun(SKILL.md), and file-writing is available viadump-screen. * Sanitization: Absent; the skill does not include validation or sanitization steps for the data retrieved from the terminal.
Audit Metadata