Skills
skills/terrylica/cc-skills/asciinema-player/Gen Agent Trust Hub

asciinema-player

Warn

Audited by Gen Agent Trust Hub on Apr 4, 2026

Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill constructs a shell command by interpolating variables such as {file_path}, {speed}, and {options} into an AppleScript string that is executed via osascript in Step 3.2. This string is then sent to an iTerm2 session using the write text command, which causes the shell in that window to execute the string.
  • The instructions do not require the agent to quote or sanitize the {file_path} variable. If a user selects a file with a malicious name containing shell metacharacters (e.g., ; rm -rf /), those commands could be executed in the resulting iTerm2 window.
  • The use of osascript -e '...' for command construction is also vulnerable to shell breakage if variables contain single quotes, potentially leading to command execution in the host environment's shell as well.
  • [COMMAND_EXECUTION]: The skill uses the Bash tool to execute osascript for controlling external applications (iTerm2) and brew for software installation. While these are required for the skill's stated purpose, they provide a high degree of control over the local system environment.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 4, 2026, 09:51 AM