iterm2
Warn
Audited by Gen Agent Trust Hub on Jun 21, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides instructions and examples for using
async_send_textandasync_injectto run arbitrary commands in the terminal, granting the agent shell access to the underlying system. - [DATA_EXFILTRATION]: The skill enables keystroke logging via
iterm2.KeystrokeMonitor, allowing the agent to capture everything the user types in the terminal, including potentially sensitive passwords or credentials. - [DATA_EXFILTRATION]: The agent can read all information displayed in terminal windows and historical scrollback buffers through
async_get_screen_contentsandasync_get_contentsAPIs. - [EXTERNAL_DOWNLOADS]: The skill directs the user to install the
iterm2Python package, a third-party dependency necessary for script execution. - [PROMPT_INJECTION]: The skill creates an indirect prompt injection surface by combining terminal output reading with command execution capabilities. Ingestion points: Screen content reading (documented in
SKILL.md). Boundary markers: Not present. Capability inventory: Subprocess execution and terminal command injection. Sanitization: Not present.
Audit Metadata