ghostty-terminal-automation
Warn
Audited by Gen Agent Trust Hub on Jul 2, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill exposes the
terminaltool with thesendaction and thenew_terminaltool with acommandparameter, both of which allow the AI agent to execute arbitrary shell commands on the host machine. This grants the agent full command-line access with the permissions of the user running the terminal. - [DATA_EXPOSURE]: The
terminaltool includesread,cells, andscreenshotactions that allow the agent to capture everything displayed in the terminal window. This can lead to the exposure of sensitive data such as hardcoded environment variables, authentication tokens, private source code, or personal information that may be visible on the screen during a session. - [INDIRECT_PROMPT_INJECTION]: The skill's ability to ingest terminal output creates a surface for indirect prompt injection. If the terminal displays content from an untrusted source (e.g., a log file, a downloaded script, or the source of a website), that content could contain malicious instructions designed to manipulate the agent's behavior.
- Ingestion points: Tools such as
terminal(withread,cells,wait_text, orexpectactions) retrieve and process text directly from the terminal surface. - Boundary markers: The instructions do not define boundary markers or delimiters to help the agent distinguish between terminal data and instructions.
- Capability inventory: The agent has the ability to execute subprocesses and commands via the
sendaction and create new processes vianew_terminal. - Sanitization: There is no evidence of sanitization or validation of the data read from the terminal before it is processed by the agent.
Audit Metadata