Skills
skills/kadel/claude-plugins/ghostty/Gen Agent Trust Hub

ghostty

Warn

Audited by Gen Agent Trust Hub on Apr 27, 2026

Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses osascript to interact with the Ghostty terminal via the input text command. This simulates a user typing directly into the terminal, effectively executing any string passed to it as a shell command.
  • [COMMAND_EXECUTION]: The command string glow -p ${ABSOLUTE_FILE_PATH} is constructed by interpolating a file path variable. If the file path contains shell metacharacters (such as ;, &, |, or backticks) or characters that terminate the AppleScript string (like double quotes), it could allow for the execution of arbitrary, unintended commands within the user's terminal session.
  • [COMMAND_EXECUTION]: While the skill includes a verification step to ensure the file exists, it does not specify sanitization or escaping of the path before sending it to the terminal emulator, which is a necessary security boundary when automating shell inputs.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 27, 2026, 02:14 PM