open-terminal-guide
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The documentation describes endpoints (
/executeand/api/terminals) designed to run arbitrary shell commands on the host or within a container.- [DATA_EXFILTRATION]: Provides full filesystem access through the/files/*API, enabling reading, writing, and uploading files, which could be used to access sensitive data.- [REMOTE_CODE_EXECUTION]: Describes an interface for executing arbitrary Python code via Jupyter Notebook kernels using the/notebooksendpoint.- [EXTERNAL_DOWNLOADS]: References the installation of the 'open-terminal' package from PyPI and the use of Docker images from 'ghcr.io/open-webui', which is a recognized service.- [PROMPT_INJECTION]: The skill has an indirect prompt injection surface as it processes untrusted data from files and command outputs. - Ingestion points: File content reading via
/files/readand command output polling via/execute/{process_id}/statusin 'references/api.md'. - Boundary markers: None documented in the API specifications.
- Capability inventory: Shell command execution, filesystem writes, and Jupyter code execution documented across all reference files.
- Sanitization: No sanitization or escaping of external data is described in the architectural overview.
Audit Metadata