interactive-shell
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill utilizes the 'node-pty' library to spawn pseudo-terminal sessions that can execute any shell command provided by the agent. This grants the agent full command-line access with the same permissions as the user running the process.
- [EXTERNAL_DOWNLOADS] (HIGH): The 'scripts/install.js' file invokes 'npm install' at runtime within the installation directory. This fetches third-party code from the public npm registry without integrity verification, introducing a significant supply chain vulnerability.
- [PROMPT_INJECTION] (HIGH): The tool is highly susceptible to indirect prompt injection (Category 8) because it ingests commands from the agent context (ingestion point: 'InteractiveShellOptions.command') without any sanitization or boundary markers. If an agent is tricked by malicious external content into running terminal commands, the skill will execute them directly.
- [REMOTE_CODE_EXECUTION] (HIGH): The combination of unrestricted shell access and dynamic package installation during the setup phase facilitates remote code execution. This could be exploited to gain persistent access to the host or execute arbitrary payloads.
- [DATA_EXFILTRATION] (MEDIUM): Terminal session output is captured in buffers for TUI display and handoff previews. An agent could be manipulated into reading sensitive files (e.g., SSH keys, environment variables) which would then be exposed in the captured output and potentially exfiltrated through the agent's response channel.
Recommendations
- AI detected serious security threats
Audit Metadata