iterm2-driver
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONCREDENTIALS_UNSAFEREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill's primary function is sending text to terminal sessions using
iterm2.async_send_text, which allows the execution of any shell command available to the user, including destructive commands or unauthorized software installation. - [CREDENTIALS_UNSAFE] (HIGH): File
examples/06-environment-vars.pyexplicitly demonstrates the extraction of sensitive environment variables, specifically referencingAWS_PROFILEandKUBECONFIG, which are high-value targets for attackers. - [REMOTE_CODE_EXECUTION] (HIGH): The skill instructions (SKILL.md) require the agent to generate Python scripts and execute them using
uv run. This creates a direct execution path from AI-generated content to the host operating system. - [PROMPT_INJECTION] (HIGH): The skill has a high vulnerability surface for Indirect Prompt Injection (Category 8):
- Ingestion points: External data processed during terminal automation or testing tasks.
- Boundary markers: Absent; there are no instructions to use delimiters to separate trusted commands from untrusted data.
- Capability inventory: Terminal command execution, Python file system access (
open,os.remove), and environment variable reading. - Sanitization: Only basic shell quoting via
shlex.quoteis used for environment variables; no sanitization is applied to the logic or content of the terminal commands themselves.
Recommendations
- AI detected serious security threats
Audit Metadata