zellij-control
Pass
Audited by Gen Agent Trust Hub on Mar 22, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the Zellij terminal multiplexer to execute commands and send interactive keystrokes to terminal panes. It also uses the 'dump-screen' feature to read the terminal's visible content and scrollback history. This provides the agent with full visibility and control over a terminal session, which can be used to execute any CLI tool or observe sensitive data printed to the screen.
- [PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection because it reads and processes terminal output that could contain untrusted data from external sources (e.g., website output, file contents).
- Ingestion points: Screen content is read from '/dev/shm/zj.txt' after being captured by the 'zellij action dump-screen' command.
- Boundary markers: Absent. There are no instructions or delimiters used to separate terminal output from agent instructions or to warn the agent to ignore embedded commands.
- Capability inventory: The agent can inject arbitrary characters and commands into the terminal via 'zellij action write-chars' and can manage terminal panes.
- Sanitization: Absent. Captured terminal content is read directly into the agent's context without any filtering or sanitization.
Audit Metadata